Last week, SecurityScorecard was invited to participate in a fireside chat with Michael Daniel, President & CEO of the Cyber Threat Alliance (CTA). SecurityScorecard’s Chief Business Officer, Sachin Bansal, joined Daniel for a lively discussion regarding how to measure cyber health and clearly communicate progress against those metrics. Daniel and Bansal also discussed the White House’s new National Cyber Strategy, and its focus on measurement and reporting against sweeping strategic objectives.
We measure everything, cybersecurity shouldn’t be different
We live in a society where nearly every meaningful performance marker can be measured: fitness trackers measure our steps, blood tests measure our cholesterol levels, and speedometers measure our speed. Yet when it comes to cybersecurity, historically, there’s been a shortage of metrics to help measure and communicate key cyber goals to stakeholders. For example, when CISOs request additional funds for their cybersecurity budgets, there’s been no way for them to show the impact their investments have had on the organization’s cyber readiness.
While there are certainly other cybersecurity metrics that organizations are tracking and using, security ratings are a consistent cyber risk metric recognized by the Cybersecurity and Infrastructure Agency (CISA) and used in both the private and public sectors. Drawing from his background in government, Daniel touched on the use of metrics in cybersecurity, noting that some governmental agencies have advanced cybersecurity because their partners are advanced. Though he pointed out this is the exception and not the rule.
Measuring cybersecurity is a continuous effort
Another issue that was stressed is the need for cybersecurity to be a continuous effort; in other words, treating it like a one-time problem won’t protect an organization. A holistic approach is what drives meaningful change. A common theme among organizations that have been breached is an element of cyber hygiene that’s missing: an attacker got in because there wasn’t multi-factor authentication, phishing or social engineering test, lack of pen testing, its patching isn’t consistent, etc. Daniel and Bansal agreed that organizations must achieve a standard, basic level of cyber hygiene to improve their cyber posture.
While technology constantly changes, good cybersecurity principles remain the same. When it comes down to it, cybersecurity is a risk management problem, with the ultimate goal of driving your risk as low as you can get it. And with the volume and velocity of security data only accelerating, some organizations may need to learn which data is important. That’s why security ratings can be valuable. They pull from a defined group of data and use that information to help prioritize decisions that can make tangible impacts on overall cyber posture.
Governments’ role in cybersecurity
The National Cyber Strategy released by the Biden Administration earlier this year is transformational for metrics in cybersecurity because it’s the first time any government globally has vowed to take a data-driven approach to cybersecurity.
The release of this strategy has sparked multiple sector risk management agencies to put forth new requirements to measure, report, and manage third-party risk. At the same time, in Europe, the evolving Cybersecurity Resilience Act will place new requirements on providers to document product vulnerabilities. In France, a new cyber score law will require Internet-facing platform companies to disclose “report cards” on cyber resiliency based on third-party audits of systems and processes. And expected new SEC regulations will place the onus on executive boards to manage cybersecurity risks just like any other material business risk.
Governments globally are more focused on measuring the health of different sectors, especially regarding critical infrastructure. Knowing the cybersecurity of every major piece of critical infrastructure is in a country’s national interest. This is why SecurityScorecard released a report at the World Economic Forum’s (WEF) Annual Meeting in Davos that examined the cyber health across diverse sectors and found that nation-state attacks against critical infrastructure doubled between 2021 and 2022. We also found that almost 50 percent of critical manufacturing organizations have cybersecurity vulnerabilities, and that the water sector would benefit from greater patching cadence to reduce attack surfaces.
We’re grateful for the opportunity to have been a part of such a critical conversation regarding the future of cybersecurity metrics, and we applaud the Cyber Threat Alliance for its continued efforts to ensure the cyber health of our institutions. For more information on how to improve your cybersecurity, visit securityscorecard.com, and get your free security rating today.