President Biden’s Statement on National Cybersecurity

President Biden stated, “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”

However, the real question is, are organizations ready to implement cyber defenses? The basis for this rhetorical question is that with the speed of change, IT transformations, new mandates, and the great resignation, among others, organizations may be challenged to implement cybersecurity strategically. There’s no lack of guidance for Critical Infrastructure or Corporate Infrastructure, with standards and frameworks, such as:

• ISO/IEC 27001
• ISO/IEC 27032 on cybersecurity 
• the multipart ISO/IEC 27033 on network security, and
• incident response and forensics – ISO/IEC 27037, 27041, and 27042.
• ISO/IEC 15408 the Common Criteria
• NIST Cybersecurity Framework (NIST CSF)
• NERC Critical Infrastructure Protection (NERC CIP)
• ANSI/ISA 99 security guidelines and user resources for Industrial Automation and Control Systems

It has always been about implementation guidance; organizational [cybersecurity] resources have constantly been challenged with how to implement the vast amount of advice and mandates. The “how” is not clear, which leads to diverse interpretations. However, unlike critical infrastructure, the corporate infrastructure has even less guidance on the “how.” I suggest the following simplified methodology:

1. Identify
2. Assess
3. Protect

Identify

Ask yourself:

Does the cybersecurity team know my organization’s crown jewels/business-critical systems? 

The answer to this question is critical for a well developed strategic cybersecurity plan; so here is an interrogatory question to ask and get you started:

• What are the systems supporting your organization’s vision, mission, and services provided to your customers? 

Note: the word “system(s)” throughs off many “technical” people, as the focus goes straight to hardware and software. However, it is a bit more holistic than that; when identifying systems, make sure to encompass people, processes, and technologies.

Once you identify the people, processes, and technologies supporting your organization’s mission, vision, and services, the next step is to assess. 

Assess

Establishing your cybersecurity baseline - to do that; you will need to perform a [quantitative and qualitative] risk assessment, so here is the information you will need to collect for this assessment:

• Collect evidence that your business-critical systems are configured according to your organization’s security configuration baseline. Deviation can occur over time.
• Identify how many technical exceptions have the organization approved for the business-critical systems.
• Identify how many audit findings, penetration test findings, and any other issues identified by your organization related to these business-critical systems.
• Perform a vulnerability scan and identify if these systems are up-to-date with your patch management program.

These data points focus on business-critical systems and will be your starting point to strategically assess your organization’s cybersecurity posture in a risk-based way; this will also become the template for the rest of the organization.

Protect

The last step of this simplified and practical approach is to protect your organization against what you found during the risk assessment effort. Some may be easier than others, but even if you have to introduce projects to the budget cycle, be sure that because of your “identify” phase, you will be well prepared to justify your project.