Executive orders range in impact from mundane to definitional for our society. For example, in 1933, EO 6420B founded the Federal Civil Works Administration, kicking off the New Deal and creating about 4 million new government jobs that served as a bedrock for our country to recover from the Great Depression. Today in cybersecurity, we face a crisis of similar proportions in the security of our critical infrastructure.
During the Depression, GDP fell 29% from 1929 to 1933, about $300 billion in today’s dollars. In comparison, some analysts have pegged global annual cybercrime losses to reach $10.5 trillion by 2025. Even if we fall short of that mind-blowing figure, we are dealing with a problem on the scale of a global depression that is largely written off today as a transaction cost for doing business online. Recognizing the scale and scope of this problem in the early 2010s, the U.S. Department of Commerce released its version of a “Cyber New Deal” with Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
EO 13636 changed the way private entities viewed cyber risk by creating a risk-based Cybersecurity Framework that pivoted the thinking behind cyber threats from a technical focus to a risk management lens. The Framework came on the heels of efforts to harmonize regulations and build information-sharing efforts to identify rising cyber threats to our critical infrastructure. This was the first national-level effort to drive a risk-based approach to cybersecurity and it continues to serve as the de-facto investment guide for organizations from small businesses to Fortune 500 companies.
The Framework’s impacts have been dramatic for the cybersecurity industry. Since the launch of the Cybersecurity Framework, ironically similar to the New Deal, we have seen a dramatic jump in the cybersecurity workforce of around 350%, or 2.5 million people, between its first beginnings in 2013 and 2021. At its five-year anniversary, the NIST Cybersecurity Framework had been downloaded more than half a million times, and today it is available in nine different languages. However, as threats have evolved since its launch in 2013, so has thinking on how organizations should manage cyber risk.
Today, due to a continually growing ransomware epidemic, organizations are learning that technical security controls are not enough to avoid costly cyber incidents. There is no part of the NIST Framework that helps quantify how much value-at-risk your IT defenses leave exposed, nor filters out the noise from non-critical threat alerts, or advises CEOs on how to deal with an extortion demand. This is where the Framework must evolve to meet the reality that cyber risk is a team sport beyond the responsibility of the CISO. Cybersecurity is critical, but it is no longer sufficient. We must now begin thinking of how to build Cyber Resilience.
Cyber Resilience is rooted in bridging the organizational silos of finance, risk management, and IT security to enable the business to continually provide value to customers even during a cyber incident. It requires thinking beyond the CISO’s domain of cybersecurity and aims for a more holistic approach to managing cyber risk. If this sounds hard, it is. Today, the roles of the CFO and Risk Manager are much more focused on revenue growth and protection from risks IRL (in-real-life), such as property destruction or loss of goods. But the reality is that with the growth in spending on digital transformation reaching over half-a-trillion dollars in 2023, every organization is becoming an IT company, and every digital risk is now tied into the majority of business risk.
With the need to rethink how cyber risk is managed, Resilience recently shared this perspective with the Department of Commerce in their request for comment on the next version of the NIST Cybersecurity Framework. Working with our clients, we have learned how to build Cyber Resilience by connecting advanced cybersecurity visibility and actionable cyber hygiene to an organization’s financial risk transfer (insurance). This holistic approach involves multiple key stakeholders in cyber defense efforts and helps enterprises optimize their security control investments.
We broke our recommendations to NIST into three core areas; cyber risk quantification and prioritization, cyber threat visibility, and cyber risk transfer. The synchronization of these three areas drives teams to better discuss their most critical risks and plan more realistic budgets for security and insurance. Uniting these core areas helps companies prepare to take a digital hit, and avoid a costly impact to their bottomline. Our guidance to NIST on these areas is as follows:
Cyber Risk Quantification & Prioritization:
Version 1.1 of the Framework begins with identifying cybersecurity risks to an organization’s systems, people, assets, data, and capabilities. Resilience has found that this process is significantly enhanced by quantitative modeling around the probability of realistic cyber incident scenarios impacting an organization’s ability to operate. Instead of jumping straight to a discussion of assets, organizations should start by aligning on key business objectives and identify which cyber incident scenarios may impact operations most. Once all executive stakeholders understand and agree upon these scenarios, an organization can begin identifying the systems, people, assets, data, and capabilities that impact or are impacted by, those scenarios.
As an organization understands its systems, people, assets, data, and capabilities it can begin building out quantitative models to understand how investments in controls affect organizational operations. Quantitative analysis helps forecast not only the value-at-risk, but also the cost and effectiveness of controlling losses. This understanding drives prioritization of the security controls discussed throughout the Framework. The acts of quantification and prioritization should be a key first step in utilizing the Framework, thus deserving of significantly greater exploration by NIST.
Cyber Threat Visibility:
Technical visibility into threats is a foundational goal for any cyber defense effort. Understanding an organization’s ability to identify and manage new and existing vulnerabilities is critical to limiting the attack surface for adversaries trying to access critical systems. However, as organizations’ digital footprints have grown and expanded to SaaS vendors, along with digital dependencies of upstream and downstream supply chains, the volume of “doors and locks” that need to be routinely checked has become a Sisyphean task.
As with other aspects of Cyber Resilience, organizations, and the security vendors supporting them, threats and vulnerabilities need to be prioritized based on their actual risk to business operations. This means limiting the scope of what is deemed critical enough to warrant investigation based on its context to overall risk. When Resilience provides threat notifications, we utilize a simple three-level requirement. All notifications to clients must be:
- Critical: The vulnerability must be of such a critical nature that it could lead to direct access to (or control of) a client’s environment.
- Example: A remote code exploit (RCE) that provides access to operationally critical systems.
- Relevant: The threat from the vulnerability must be relevant to the client’s infrastructure or industry.
- Example: A vulnerability present in deployed IT infrastructure or common across their region, industry, or organization size.
- Actionable: The outreach must come with remediation guidance that is specific enough to enable independent action.
- Example: The vulnerability is resident in commonly used infrastructure and can be patched using an update by the vendor through a trusted distribution chain.
Cyber Risk Transfer:
A Cyber Resilience approach to managing cyber risk requires holistic management of all four principles. However, security practitioners often overlook risk transfer products, such as insurance, as a tool for addressing cyber risk. We believe NIST has an opportunity to correct this and drive a better understanding of how to transfer cyber risk alongside mitigation strategies.
A critical component of holistic cyber risk management is the collaboration within an organization on their level of risk tolerance and the associated availability of financial risk transfer. To adequately manage cyber risk, it is important to determine what risks are acceptable as is, if risk mitigation is required, or if transferring the risk through insurance is the appropriate course of action. Emphasizing the role of risk transfer and the collaboration between security, finance, and risk management supports NIST’s approach to analyzing cyber risk holistically. In many cases, the risk transfer product may also encourage organizations to pursue operational and technological advances to meet insurance requirements. Resilience believes this balance between risk identification, transfer, and mitigation deserves significant attention in future analysis by NIST.
Resilience endeavors to be a champion in driving organizations to think more holistically about building Cyber Resilience. In the current cyber risk climate, we can’t just sell insurance. We must be a partner that collaborates with our customers to advance their cyber maturity and reduce risk in a mutually beneficial way. Resilience hopes that its input will be helpful to NIST as it develops version 2.0 of the Framework and aims to partner with all those who continue to support a more Cyber Resilient world.