Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/13/2017
10:30 AM
Stephen Horvath
Stephen Horvath
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Leverage the Rosetta Stone of Information Sharing

A common framework will help in the development of cyber-risk management efforts.

"What threats are you seeing?"

"What tool did you buy?"

"Did you know an exploit for that vulnerability is in the wild?" 

Do these questions sound familiar? If you're a cybersecurity practitioner, they likely do. Historically, many organizations conduct information sharing that sounds a lot like this.

Unfortunately, these conversations are limited in scope and confined to a specific security concern, which means they rarely expand across multiple teams to achieve true organizational collaboration. You'll usually see governance folks talking to other governance folks, or security operations teams reaching out to other security operations teams.

These siloed conversations hinder an enterprise-wide ability to see the big cybersecurity picture. The good news is that cyber practitioners no longer have to take part in the same old song and dance.

With the recent mandate for public sector organizations to use the National Institute of Standards of Technology (NIST) Cybersecurity Framework (CSF) combined with increased adoption expected of the private sector, we have reached a potential tipping point for information sharing. The entire cybersecurity community — across the public and private sectors — can work together in developing more effective cyber-risk management processes that benefit everyone involved.

Redefining Information Sharing across the Enterprise
In May, the much-anticipated Cyber Executive Order called for broader adoption of the NIST CSF, which was initially introduced in 2014 to help critical infrastructure organizations manage cyber-risk more effectively.

The adoption rate of the NIST CSF has been strong. Gartner estimates that about 30% of U.S. organizations embraced the CSF in the first two years it was available, and forecasts expect that number to hit 50% by 2020.

A recent survey of attendees at this year's Amazon Web Services (AWS) Public Sector Summit found widespread support for the NIST CSF, with 80% saying that it effectively helps organizations manage risk. One of the drivers for this support is the desire for a common set of cybersecurity standards across both the public and private sectors. A remarkable 96% of those surveyed said a common language would benefit their organization.

Why is there such strong support for the NIST CSF and common standards? Well, it essentially solves the usual problems surrounding enterprise-wide information sharing. Matt Barrett, program manager for the NIST CSF, in a recent Q&A with our CSO, Rick Tracy, said that the CSF's purpose is "a way of bridging the gap between cybersecurity professionals and people who are experts in other fields."

The CSF provides a way for everyone, at every level of an organization, to understand cybersecurity in terms that are widely accepted, changing the tune of the typical cybersecurity dialog. Internally, this means that IT professionals from the server room can have an effective, worthwhile conversation with executives in the boardroom. 

In other words, it creates a universal language for cybersecurity. Similar to Rosetta Stone software making it easy to quickly learn a new language, the CSF provides a simple way for anyone to quickly pick up the intricacies of cybersecurity and a robust cyber-risk management plan. 

The CSF becomes the common lexicon that adds sorely needed context, especially when discussing gaps in security defenses and residual risks. In some cases, conversations are not enough if you don't understand the place your colleagues are coming from. As enterprises aim to improve their cyber-risk management processes, information sharing will take on new depth and meaning, empowered by a common language that is understandable both vertically within organizations as well as horizontally among other companies.

Automation Encourages Enterprise-Wide Collaboration
Despite the fact that the CSF has received significant support in the public sector, too many organizations in both the public and private sectors still see it as "just another framework" because they've seen many previous attempts at developing a common cybersecurity language fall to the wayside.

This is due in part to headaches associated with compliance. That same survey asked participants to name their biggest compliance challenge and two rose above the rest — 46% percent said it takes too much time and 45% said it is too complex. These responses were not surprising, unfortunately. Time and complexity are the compliance woes that have plagued cybersecurity leaders for years, and have inhibited any sustained efforts to modernize, innovate, and develop a much-need common cybersecurity language.

Thanks to technology improvements, the answer to overcoming those compliance hurdles has arrived in the form of automation. Organizations are now able to automate compliance standards such as the NIST CSF, which leads to dramatic savings in cost and time. By doing so, there can be an added focus on empowering employees to spend their time on more critical tasks, like responding to threats and risks. Similarly, automation frees up resources that can instead be devoted to innovation, research, and training.

Truly forward-leaning organizations with a focus on security that want to alleviate the burdens of complex compliance activities can implement automated processes that can reduce the time and effort needed by half.

Despite the challenges associated with compliance, automation presents an opportunity to streamline the compliance process. It's time that organizations become empowered to better utilize technologies that vastly improve cyber-risk management and allow for the necessary collaboration that will drive the future of cybersecurity. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Stephen Horvath is Vice President of Strategy and Vision at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Within this role, he is responsible for leading the development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.