Cyber Insecurity: The Need for Adaptable and Dynamic Processes for Security
Several years ago, cybersecurity was not even on the radar of most companies and their boards. Over the past several years after countless fiascos and crises impacting companies of every size and scope, cybersecurity has steadily risen as a priority and emerged as an integral aspect of a board of director's duty of care and oversight to the company it oversees.
February 28, 2018 at 12:10 PM
8 minute read
Several years ago, cybersecurity was not even on the radar of most companies and their boards. Over the past several years after countless fiascos and crises impacting companies of every size and scope, cybersecurity has steadily risen as a priority and emerged as an integral aspect of a board of director's duty of care and oversight to the company it oversees. As cyberthreats continuously evolve, develop and change, management is inundated with guidance on oversight, training, and any number of technical and procedural controls necessary to improve the company's security posture. In addition to the fast pace of evolution in cybersecurity, a recent trend of high profile data breaches and cyberincidents has put boards of directors on high alert for very specific threats, for example, Wannacry and the threat of ransomware. While this increased attention and scrutiny is important, and salubriously inspires many companies to better their cybersecurity postures, this granular focus runs the risk of missing the forest for the trees. While an understanding of technical controls and specific risks is integral to any cybersecurity program, it is important to understand that there is a greater principle afoot: namely that cybersecurity is not a binary state (secure or insecure), but rather it is a continuous, iterative, dynamic process. Thus, if we, whether on the level of a single company or the broader community as a whole, are to stand any chance of meaningfully moving the ball forward, we must develop a clearer conception of the nature of cybersecurity, the goals that a cybersecurity program must pursue, and the methodologies that must be implemented to accomplish them.
To better understand what this means, we can look to industry standards, one of the best being the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST). The CSF was created pursuant to an executive order issued in February 2014 by President Barack Obama, which called for the “the development of a framework to reduce cyberrisks to critical infrastructure.” The goal of the CSF was to create “a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyberrisks.” The first version of the CSF was released in February 2014, and it was quickly adopted by its target market, U.S. critical infrastructure, but the CSF is more broadly applicable. The CSF is neither industry nor size specific and the general principles and processes it promulgates for identifying, understanding, and safeguarding against cyberrisks are just as applicable to a local or regional company as they are to an international financial institution or technology company. The CSF consists of three core elements: the framework core, framework profiles, and the subject of our inquiry, framework implementation tiers.
The CSF implementation tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework (e.g., risk and threat aware, repeatable and adaptive). The tiers characterize an organization's practices over a range, from partial (Tier 1) to adaptive (Tier 4).
Simply put, the tiers represent a spectrum of how well your organization understands, guards against, and responds to cyberrisk. The tiers are routinized and standardized across industries and verticals which allows companies, engineers and managers to speak a common language both with regards to their respective security postures and with regards to the best routes to develop and improve their postures. While the CSF implementation tiers play an integral role in helping an organization understand its own posture, and in setting goals for future development, they serve just as important a role in facilitating a clearer understanding of a company's cybersecurity development and goals for the company's nontechnical management and directors.
The temptation to view cybersecurity as a binary question is particularly strong when it relates to a specific threat. For example, a corporate manager might ask whether or not the company is secure from the NotPetya Ransomware. While the answers to such questions are sometimes technically difficult to ascertain, they can only be definitively answered in certain scenarios. Furthermore, the answer, even when it is determinate and binary, can be misleading and counterproductive. If the technical staff reports to the manager that the company is, in fact, secure from NotPetya, the company will be much less likely to take a holistic inventory of its readiness for the broader attack vector of ransomware in general and to take the most effective measures to prepare the company to secure itself against the broader category of attack. Thus asking the wrong questions can be, not merely, unhelpful, but can actively complicate the process of most effectively pursuing the development of a company's cybersecurity posture.
In the CSF implementation tiers, there are four different phases a company can be in: partial, risk informed, repeatable, and adaptive. It is important to note that there is no language about secure or insecure, rather the language centers on an organization's integration of business, risk and cybersecurity. It also accounts for the distinctions between the circumstances and finances of each individual company and affords them some degree of ability to balance between the company's financial means and cybersecurity needs. The CSF implementation tiers represent a spectrum of possible cybersecurity postures, on one end of the spectrum is the partial tier. The partial tier generally encompasses those companies that deal with cybersecurity on an ad-hoc basis, with a limited general awareness towards cyber risk and its potential impact on their business. In these circumstances, cybersecurity is dealt with on a break-fix basis, meaning that it is only dealt with when something has broken down and the company has discovered that it has been compromised. Companies in this stage fail to effectively engage with the risks they face and to position themselves to effectively recover once an incident has occurred. The second tier, risk informed, takes a slight step up from partial, whereby an organization may not thoroughly formalize their practices, but they are beginning to conceptualize cybersecurity as a process and not as a break-fix binary and also the essential fact that cybersecurity is relevant consideration for their organization. The repeatable tier takes this a step further, indicating that companies have formalized these processes and that they are regularly updated based on developments in the cybersecurity landscape. It includes a meaningful degree of buy-in from corporate decision makers and meaningful training and preparation for staff. Finally, the adaptive tier is achieved once a company has robust and regularly verified and validated cybersecurity processes, procedures, and technologies. Cybersecurity has become an element of company culture and is regularly updated based on developments in the landscape and on predictive indicators that are tailored to the specifics of the company.
There many lessons to be learned from analyzing the CSF implementation tiers, from direct management involvement and oversight to developing cultural awareness to the adoption of policies, procedures and technologies, but what is most important are the words that are not included in the tiers: secure, defensible, threat elimination. These are absent because a robust, well managed, and carefully considered cybersecurity posture does not seek to achieve absolute security because this is an impossible goal. Rather such a policy seeks to ensure that an organization can nimbly and effectively respond to a broad spectrum of cybersecurity threats. To pull from the age-old fable of the willow and the oak, if an organization seeks to stiffly apply specific controls they will inevitably be felled, whether by a new emerging threat or some other instance of failure. If, however, a company is able to adapt and apply cybersecurity principles dynamically, throughout the entire enterprise, they will be able to withstand any storm. For a further illustration of this point, one need only look at the titles of the CSF Implementation Tiers, namely that the highest tier is adaptive, meaning that an ideal posture is one that recognizes the ever-changing landscape of cyberthreats, and can internalize the evolution of the threat environment, apply it to its own, unique context, and nimbly adapt and react to these developments at the institutional level.
Cybersecurity can often be a loaded issue that pulls from a wide variety of elements within an organization. It implicates everyone from the directors and managers to the technicians and employees. Directors are often charged without oversight of this process, which does require careful attention, but this detail-oriented approach sometimes risks missing the forest for the trees. To prevent this, it is essential to clearly conceptualize the goals of a “good” cybersecurity program. The CSF implementation tiers are by no means the only tool available to help understand these goals, but they do present a coherent, logical and understandable framework for setting goals, at a macro-level for one's organization.
Barry and Benjamin Dynkin are co-executive directors of the American Cybersecurity Institute and co-founders of Atlas Cybersecurity.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute read'Unlawful Release'?: Judge Grants Preliminary Injunction in NASCAR Antitrust Lawsuit
3 minute readBaker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Federal Judge Grants FTC Motion Blocking Proposed Kroger-Albertsons Merger
3 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250