The cybersecurity metrics required to make Biden’s Executive Order impactful
For too long, both the private and public sectors have not prioritized cybersecurity efforts enough and only acted in “good faith” – an inadequate effort to improve cybersecurity. Recently, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity, to set government standards and best practices for cybersecurity across sectors, and it is good to see the focus on automation.
While the EO, itself, is well thought through and comprehensive from a public sector, it is vague in its requirements for the private sector and fails to offer the structure for protecting the nation’s cybersecurity. One thing that is clearly missing is a robust requirement around hard metrics.
To make meaningful change in our nation’s cybersecurity posture, the federal government must make concise and quantifiable metrics for reporting and benchmarking. We must invest in an infrastructure overhaul by replacing decades-old security tools that are obsolete and incapable of keeping up with growing attack surfaces, and in addition to zero-trust supply chains, make automation a standard in all cybersecurity initiatives.
Creating concise metrics for reporting and benchmarking
When it comes to cybersecurity there are only two metrics that matter the most and show the vitality of your organization’s cybersecurity posture. The first is understanding an organization’s cyber risk in dollars. To quantify their risk, organizations must first know what assets they have and what their vulnerabilities are, as the cardinal rule of cybersecurity is that you can’t protect what you can’t see. Then organizations must calculate their risk in monetary terms by measuring the value of each asset and the likelihood it is breached. They can then look to bring their risk down to an acceptable value.
The second is mean-time-to-respond (MTTR), this is the time it takes your organization to identify a security incident or vulnerability and take action to isolate or mitigate the threat. MTTR is a challenge for many organizations as they often lack visibility into each network asset in addition to trying to manage hundreds if not thousands of notifications and alerts a day.
Without benchmark standards for quantifying cyber risk and MTTR, organizations can often over-state their performance and leave themselves vulnerable to cyber-attacks – and we will continue to see cyber-attacks cripple critical infrastructure, food supply, and our economy. We can’t leave room for companies to skate by on overstated and vague metrics for security posture. The government must hold companies accountable for cybersecurity and to do so, these metrics must be put into action.
The problem with legacy security tools and decades-old infrastructure
We wouldn’t allow doctors to implant cardiac pacemakers from the 1990s, so why would we allow organizations to rely on cybersecurity tools from the same decade? If one thing is certain, it’s that relying on tools designed for the birth of the internet is an inadequate way of keeping up with today’s hyper-connected world and growing numbers of cybercriminals.
As addressed in the American Rescue Plan and supported further in the 2022 fiscal budget, the government is taking action to bolster the nation’s cybersecurity posture, allocating $650 million and $9.8 billion, respectively. But the reality is that the amount allocated to cybersecurity is only a fraction compared to defense spending on physical attacks, failing to recognize that war and crime are being fought online.
To secure our nation and stabilize our economy, we must recognize that digital wars are being waged every day. The resources put into fighting these battles do not come close to what is necessary to end them. We must put the same resources into cyber wars as we have put into physical ones.
To prepare and defend U.S. critical infrastructure, the federal budget needs to address the decades-old security tool these organizations use and do a complete overhaul, from electric grids and water supply and treatment facilities to oil and gas refineries and food suppliers. Each is an integral part of the nation’s economy, and in just one year has shown the world the extent of their vulnerabilities.
As we consider the initial steps to mitigate these devastating attacks like the Colonial Pipeline attack, we must consider the efficacy of the tools these organizations are using and how an investment in modern technology can improve their security posture.
Automation to manage security
Automation is the only way to keep up with bad actors and manage security threats across a vast network of devices and attack surfaces. Advanced AI/ML and automation allow security teams to better consolidate data from disparate cybersecurity tools, analyze the data to glean insights, prioritize action items and dispatch them to the designated risk owners for remediation. Organizations can then quantify their risk and reduce the mean time to respond to security events while working against time constraints and limited budgets.
As we continue to see ransomware and cybercrime plague the U.S., we must recognize them as part of the decade-defining battle – one that will make its way into history books as we make million-dollar payments to bad actors but fail to improve the vulnerabilities that allow these attacks. We can’t afford to fall behind nation-state attackers and cybercrime hobbyists. We must do our due diligence and work to enact meaningful and actionable change across industries and sectors. Through precise and quantifiable metrics, infrastructure modernization, and mandatory automation, we can improve our cybersecurity posture as we work to dismantle the cybercrime black market.