As we approach 2020, cybersecurity and critical infrastructure protection are changing. Expectations are rising and obligations becoming more onerous. Here are a few key issues to watch and some lessons learned from my work with Boards, CISOs and General Counsel.
For organizations to stay ahead, CIOs and CISOs need to be proactive in determining thor organizations’ dependencies and promoting risk management in the highest levels.
Security is focusing on critical functions rather than sectors
Nowhere are dependencies more fluid and fragile than in your information and communications technology environments. Who are your key vendors and customers? How do they touch your networks and data? How are your systems connected or integrated? What partners do you rely on for utilities, technology, and personnel? What failures would cripple your operations or leave your customers in the lurch? Are the right contractual provisions in place? Answers to these questions change all the time.
The federal government is moving the conversation from a focus on sixteen critical infrastructure sectors toward what it calls National Critical Functions. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and its National Risk Management Center (NRMC) are providing “a risk management lens that focuses less on a static, sector-specific or asset world view, and instead focuses on the functions an entity contributes to or enables.”
National critical functions are those of the government and private sector that “are so vital … that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.” DHS identified four critical national functions: CONNECT, DISTRIBUTE, MANAGE, and SUPPLY. These broad categories encompass a variety of organizations, from telecom companies and internet providers to energy producers and equipment manufacturers to consumer banking—and everyone that supports them.
The bar is being raised, with a focus on supply chains, software, and vendors.
Several trends emerge from government activity, with predictable impacts on CIOs and CISOs.
Supply chain country of origin. The United States government has made it clear that it has deep reservations about Chinese-sourced IT hardware, software and services. This puts the onus on companies to consider the medium to risks of their equipment, software, and relationships. Organizations should track what they have and where it comes from. Long term investments and technology partnerships need to account for geopolitical risks.
Software development practices. The private sector and government are increasingly focused on the integrity and sourcing of key software. As a Department of Commerce draft report explains, “Software permeates banking, healthcare, utilities, emergency services, national defense, government systems, and the like. The software includes operating systems, firmware, and embedded systems within our gadgets, devices, IoT, and other machines. And … software has a supply chain that may need to be understood and managed by an organization dependent on that software.” Some see a software bill of materials (SBOM) as the best way to increase transparency about software, to help identify vulnerabilities, and to shift the market away from less secure practices and suppliers. An SBOM may shed light on the development of key software but it may also impose a burden on CIOs or CISOs to map and manage.
Increased scrutiny of vendor relationships. Organizations should be on notice that regulators and investors are interested in how they manage vendor security risks. NIST’s seminal Framework for Improving Critical Infrastructure Cybersecurity, version 1.1 added an entire Supply Chain Risk Management Category. New York State Department of Financial Services’ (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to explicitly address the cybersecurity risks posed by third-party service providers. The Federal Trade Commission advises organizations to include security provisions in vendor contracts, verify compliance, and work with vendors to keep security practices up to date. Organizations have to grapple with their vendors and their security posture. This can require tough decisions and migration away from long term suppliers.
What does this mean for companies?
It is no longer enough to look at whether your organization is in one of the identified critical infrastructure sectors or is directly regulated by sector specific regulations like HIPAA, GLB or the Federal Acquisition Regulation.
The government at the federal and state level expects companies to understand cross-cutting risks and dependencies. This means knowing where you sit in supply chains and how you interact with vendors and customers.
Regulators also expect companies to understand how their security—or lack thereof—can affect third parties. Failing to deploy updates or selling connected devices with weak security affects third parties, for example by enabling DDoS attacks. As a result, the government expects companies to understand key vendors, suppliers, and customers. They want security and privacy by design. Regulators expect contingency planning and a focus on resilience. And they want responsible disclosures of vulnerabilities in products and services.
We have helped Boards of Directors, CISOs, and General Counsel consider their roles in managing security risks to their infrastructure and networks. and Companies’ senior management and Boards of Directors are responsible for cyber and infrastructure protection. This has been eye-opening and equal parts encouraging and concerning. We see an array of maturity levels and different challenges. Inside many organizations, there sometimes are too many egos, too many overlapping functions, or too few accountable leaders. Turf wars, duplicative policies, or legacy operations can delay needed decisions, leaving an organization exposed to unnecessary risk.
CIOs and CISOs can drive management action
When it comes to cyber, trust is critical. In this, I mean internal trust among personnel who have to set policy, conduct risk assessments, and manage incidents. External trust refers to the trust that an organization should want to have with customers, investors,insurers, and government, as well as peer companies who face the same threats. For the government’s vision of “collective defense” to become a reality, organizations have to cultivate trust.
CIOs and CISOs can help their organizations build trustin several ways.
• Model a culture of accountability. Take ownership over what is yours, and don’t let executives shy away from hard questions or assume someone else is handling something.
• Identify gaps or areas of concern and offer actionable recommendations for decision.
• Be proactive in identifying and addressing supply chain risk.
• Consider how your organization will manage software security and lifecycle management.
• Create alliances with senior lawyers in your organization. Lawyers are often in the middle of organizational risk management and compliance; they can help advocate across IT, finance, HR, and corporate concerns.
• Stay head of regulatory expectations in your sector and those of key customers or vendors.
• Educate senior leadership about the importance of security basics, like backups, updates, whitelisting apps, limiting privileges, and multifactor authentication.
The private sector sometimes struggles to find actionable advice on security of networks and key infrastructure. There is an enormous amount of activity ongoing across the government, which is difficult to keep up with. CIOs and CISOs can create a culture of proactivity and trust to say ahead of shifting expectations.