Cybersecurity expectations are vague, and that has to change if there is any chance of approaching a reasonable amount of cybersecurity.
An IT axiom, “Do you know where your data is?” has been eclipsed by something more accountable: “Is your data reasonably secure?” That’s what companies have to determine to protect themselves in the event of a cybersecurity attack.
“With data breaches making daily headlines and hackers developing innovative methods to penetrate cyber defenses, businesses must contemplate what ‘reasonable-security’ posture to implement for when—not if—a threat occurs,” said Rick Lazio, former member of the US House of Representatives and senior vice president of Alliantgroup, and Mike Davis, CISO of Alliantgroup, in their article Cybersecurity Risk: What does a ‘reasonable’ posture entail and who says so? in CIO Dive.
Laws are in place, but …
Lazio and Davis said lawmakers and regulators are responding to the escalating number of cyberattacks by requiring businesses to meet certain cybersecurity standards to achieve reasonable security. However, “Without a defined, coherent standard to use as a reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.”
Since cybersecurity and its regulation are moving targets, companies tend to copy what other organizations are doing to secure digital assets, hoping it will be seen as good enough. Lazio and Davis have real concerns about this approach, adding, “With data-breach litigation increasing, this practice is nothing short of risky as businesses are allowing a judge or jury to determine the reasonableness of its cybersecurity risk posture after an incident has occurred.”
SEE: Checklist: Security Risk Assessment (TechRepublic Premium)
The two authors cite the 2017 Equifax data breach as an example of why it’s a bad idea. After the dust settled, shareholders sued the credit-reporting agency under the pretense that fraud was committed in connection with the data breach—specifically that multiple false or inaccurate statements were made by company officials regarding:
- Vulnerability of its internal systems to cyberattack;
- compliance with data-protection laws and cybersecurity best practices; and
- alleged statements about regular reviews and updates to the company’s cybersecurity platform.
“The judge in the Equifax case found the allegations to be credible and denied Equifax’s motion to dismiss the ruling,” Lazio and Davis said. “The judge ruled that the case must go forward to take a deeper look into the cybersecurity measures that were in place at the time of the breach.”
The point Lazio and Davis are trying to make is that responsible company officials must ensure what they are advertising in security is what is actually in place.
Find out what is reasonable cybersecurity
Lazio and Davis suggest a good place to start is determining what would be considered a lack of reasonable security. “This approach makes it easier for an organization to map data-security protection efforts (including privacy and resources) to a known framework.”
A good first step, they said, is to use the Center for Internet Security’s Critical Security Controls as the authoritative source. “One just needs to map the definition of ‘reasonable’ to any of 20 specifications to attest to its validity and utility.”
SEE: Cybersecurity pros should switch from Indicators of Compromise to Indicators of Behavior (TechRepublic)
The Center for Internet Security’s Critical Security Controls is a recommended set of actions for cyber defense that provide specific ways to stop attacks. From the website: “A principal benefit of the Controls is that they prioritize and focus on a smaller number of actions with high pay-off results.”
Lazio and Davis said the Center for Internet Security’s Critical Security Controls offers a two-for-one benefit:
- A recognized authoritative source to map your security environment and quantify risks; and
- a recognized methodology and approach to demonstrate and provide a reasonable and defensible security posture.
Using the Center for Internet Security’s Critical Security Controls also helps simplify the selection of a risk framework needed to assess the company’s IT environment, determine gaps, and propose solutions.
Lazio and Davis suggest the following National Institute of Standards and Technology (NIST) frameworks:
- Risk-Management Framework: A source for Enterprise Risk Management that integrates security and risk-management activities into the system-development life cycle. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws or regulations.
- Cyber-Security Framework: A set of standards, guidelines, and best practices to help organizations manage and reduce their cybersecurity risks in a way that complements existing cybersecurity and risk-management processes.
Lazio and Davis believe there’s a lot to like about the Center for Internet Security’s Critical Security Controls. From the start, the controls are definitive and actionable, providing a healthy cybersecurity risk posture.
Something else upper management will like is the support the Critical Security Controls provides during conflict resolution. Lazio and Davis concluded, “Implementing the CIS CSC will show due care in any conflict venue by demonstrating the organization is practicing cyber due diligence, even without a fully minimized risk posture.”