Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/13/2017
10:30 AM
Stephen Horvath
Stephen Horvath
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Leverage the Rosetta Stone of Information Sharing

A common framework will help in the development of cyber-risk management efforts.

"What threats are you seeing?"

"What tool did you buy?"

"Did you know an exploit for that vulnerability is in the wild?" 

Do these questions sound familiar? If you're a cybersecurity practitioner, they likely do. Historically, many organizations conduct information sharing that sounds a lot like this.

Unfortunately, these conversations are limited in scope and confined to a specific security concern, which means they rarely expand across multiple teams to achieve true organizational collaboration. You'll usually see governance folks talking to other governance folks, or security operations teams reaching out to other security operations teams.

These siloed conversations hinder an enterprise-wide ability to see the big cybersecurity picture. The good news is that cyber practitioners no longer have to take part in the same old song and dance.

With the recent mandate for public sector organizations to use the National Institute of Standards of Technology (NIST) Cybersecurity Framework (CSF) combined with increased adoption expected of the private sector, we have reached a potential tipping point for information sharing. The entire cybersecurity community — across the public and private sectors — can work together in developing more effective cyber-risk management processes that benefit everyone involved.

Redefining Information Sharing across the Enterprise
In May, the much-anticipated Cyber Executive Order called for broader adoption of the NIST CSF, which was initially introduced in 2014 to help critical infrastructure organizations manage cyber-risk more effectively.

The adoption rate of the NIST CSF has been strong. Gartner estimates that about 30% of U.S. organizations embraced the CSF in the first two years it was available, and forecasts expect that number to hit 50% by 2020.

A recent survey of attendees at this year's Amazon Web Services (AWS) Public Sector Summit found widespread support for the NIST CSF, with 80% saying that it effectively helps organizations manage risk. One of the drivers for this support is the desire for a common set of cybersecurity standards across both the public and private sectors. A remarkable 96% of those surveyed said a common language would benefit their organization.

Why is there such strong support for the NIST CSF and common standards? Well, it essentially solves the usual problems surrounding enterprise-wide information sharing. Matt Barrett, program manager for the NIST CSF, in a recent Q&A with our CSO, Rick Tracy, said that the CSF's purpose is "a way of bridging the gap between cybersecurity professionals and people who are experts in other fields."

The CSF provides a way for everyone, at every level of an organization, to understand cybersecurity in terms that are widely accepted, changing the tune of the typical cybersecurity dialog. Internally, this means that IT professionals from the server room can have an effective, worthwhile conversation with executives in the boardroom. 

In other words, it creates a universal language for cybersecurity. Similar to Rosetta Stone software making it easy to quickly learn a new language, the CSF provides a simple way for anyone to quickly pick up the intricacies of cybersecurity and a robust cyber-risk management plan. 

The CSF becomes the common lexicon that adds sorely needed context, especially when discussing gaps in security defenses and residual risks. In some cases, conversations are not enough if you don't understand the place your colleagues are coming from. As enterprises aim to improve their cyber-risk management processes, information sharing will take on new depth and meaning, empowered by a common language that is understandable both vertically within organizations as well as horizontally among other companies.

Automation Encourages Enterprise-Wide Collaboration
Despite the fact that the CSF has received significant support in the public sector, too many organizations in both the public and private sectors still see it as "just another framework" because they've seen many previous attempts at developing a common cybersecurity language fall to the wayside.

This is due in part to headaches associated with compliance. That same survey asked participants to name their biggest compliance challenge and two rose above the rest — 46% percent said it takes too much time and 45% said it is too complex. These responses were not surprising, unfortunately. Time and complexity are the compliance woes that have plagued cybersecurity leaders for years, and have inhibited any sustained efforts to modernize, innovate, and develop a much-need common cybersecurity language.

Thanks to technology improvements, the answer to overcoming those compliance hurdles has arrived in the form of automation. Organizations are now able to automate compliance standards such as the NIST CSF, which leads to dramatic savings in cost and time. By doing so, there can be an added focus on empowering employees to spend their time on more critical tasks, like responding to threats and risks. Similarly, automation frees up resources that can instead be devoted to innovation, research, and training.

Truly forward-leaning organizations with a focus on security that want to alleviate the burdens of complex compliance activities can implement automated processes that can reduce the time and effort needed by half.

Despite the challenges associated with compliance, automation presents an opportunity to streamline the compliance process. It's time that organizations become empowered to better utilize technologies that vastly improve cyber-risk management and allow for the necessary collaboration that will drive the future of cybersecurity. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Stephen Horvath is Vice President of Strategy and Vision at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Within this role, he is responsible for leading the development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19631
PUBLISHED: 2020-01-24
An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can ac...
CVE-2020-5219
PUBLISHED: 2020-01-24
Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the appli...
CVE-2019-18900
PUBLISHED: 2020-01-24
: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions p...
CVE-2020-7226
PUBLISHED: 2020-01-24
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data...
CVE-2012-6302
PUBLISHED: 2020-01-24
Soapbox through 0.3.1: Sandbox bypass - runs a second instance of Soapbox within a sandboxed Soapbox.