Today’s release of the White House’s National Cybersecurity Strategy is the result of more than a year of government and industry collaboration that sets new boundaries for the government approach needed to improve global cyber defenses. The strategy clearly represents a shift away from decades-old voluntary compliance regimes to a more aggressive regulatory construct that seeks to shift cyber burdens onto providers/developers and owners and operators of critical infrastructure.
Much of the discussion on the release today has been about two themes: regulation and liability. Those two issues will consume significant time and involve the different voices of CISOs, CIOs, corporate Boards, and other stakeholders, who should clearly expect that new regulations and requirements will come. The timing and scope of those changes will take some time to assess and predict. Though the government wants to ease the compliance burden on companies and harmonize regulations as much as possible, organizations of all sizes need to think now about how to prepare themselves.
In future blogs, we’ll dive deeper into these issues, but for today, we want to highlight what SecurityScorecard considers to be the strategy’s most important component: the strong focus on measurement and reporting in driving accountability and outcomes.
The Administration makes clear that they will take a data-driven approach to ensuring that the document drives meaningful, positive outcomes. Assessing and reporting on the effectiveness of implementation shows collective progress A relentless focus on transparency and reporting on metrics that matter can drive organizations to action and raise all levels of cyber protections around the world.
You can’t fix what you can’t measure. Security ratings like the ones we provide offer an outside-in view of an organization’s risk posture and threat landscape, and give organizations a means for objectively monitoring the security hygiene of their own and other organizations’. Perhaps more importantly, they help stakeholders at all levels gauge where their security efforts are improving or deteriorating over time.
The drive to greater measurement and reporting can help dramatically reduce information and awareness gaps across large multinational corporations, small businesses with limited IT and cybersecurity capabilities, and government agencies protecting their nation’s most critical infrastructure assets and industries.
The complexity of the IT ecosystem is enormous. Most multinational corporations utilize dozens, if not hundreds or thousands, of vendors across their supply chains. Yet companies and government regulators too often have little-to-no information about the security of those vendors. With over 50 percent of cyber incidents occurring through third-party connections, this lack of visibility is alarming.
We have to find ways to move beyond static reporting and time-bound assessments of security operations and security vulnerability management. Leaders at all levels of government have recognized the value that greater use of consistent measurement brings to calculating, measuring and demonstrating progress in reducing risk exposure. Work underway at the Cybersecurity and Infrastructure Security Agency to codify last year’s threat information sharing apparatus will be a key development here. We will be actively working to ensure this motion helps operationalize metric measurement and visibility.
At SecurityScorecard, we are constantly searching for ways to make the world a safer place. As part of that mission, we released a report at this year’s World Economic Forum, detailing the state of critical infrastructure and ways to improve cyber resiliency.
The federal government has the opportunity to relentlessly pursue metrics that matter. If we do this right, we can provide faster, better, and more quantifiable insights into cyber risks and show real progress. SecurityScorecard is committed to working with government as well as private sector owners and operators of critical infrastructure to ensure we measure what matters most and help drive progress.