“It’s discouraging to try to be a good neighbor in a bad neighborhood.” –William Castle
This quote from the late American horror film director has recently been running through my head as I think of the new NIST CSF 2.0 framework, the new AI regulations and the myriad software product certificates. In a nasty neighborhood of bad actors, these frameworks, regulations and certifications act as good neighbors. They are poised to enable organizations of any size to protect themselves against a barrage of cyberattacks. But, I also see the complexity they bring to CIOs and CISOs of various organizations in ensuring the right balance of security initiatives and alignment to frameworks, regulations and certifications, especially in cases where technology advances faster than a framework or regulation.
The following recent events have made me think about the three areas in which we as a collective can influence the cyber world positively, which is otherwise packed with many negative forces.
1. A Decade in the Making – CSF 2.0 is Finally Here
In January 2024, nearly 10 years after its first release, the National Institute of Standards and Technology (NIST) released an updated 2.0 version of the Cyber Security Framework (CSF). As you may already know, CSF 2.0 is designed to be used by organizations of all sizes across all sectors as opposed to its predecessor, which focused only on critical infrastructure. CSF 2.0 also takes into consideration technologies that have emerged since the original iteration of the framework and elevates the importance of supply chain risk management and cybersecurity governance.
While the CSF 2.0 is a vast improvement over its 10-year-old predecessor, the problem with this framework remains the same – the voluntary compliance to this framework has essentially failed to improve or implement effective cybersecurity. In July 2022, 10 of the 24 U.S. federal agencies received an F on cybersecurity practices, according to the Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Fast forward to January 2024, nearly half of the same 24 federal agencies improved their scores to C or D in the same category.
This improvement comes at the heels of the Biden administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028), which mandated all federal agencies to transition to a Zero Trust approach to cybersecurity with specific guidance on securing pillars such as identities and endpoints. The progress of every federal agency is tracked and aligned to NIST’s CSF 2.0. The point is that NIST’s CSF 2.0 is an excellent guide to reducing cyber risks, but that on its own will not do the trick and secure your organization. Much like the EO 14028, what will push the needle forward is if executives and the board of any organization mandate a regular performance assessment against CSF 2.0 to ensure continuous risk assessment and improved security posture to keep your organization secure.
2. Regulation vs. Innovation – Problem or Peril?
The European Union has led the charter for regulatory frameworks and set an example for the world. Having set the standard and implemented regulations for data privacy, carbon emissions and mergers, the EU has done the same for AI. The EU AI Act was passed in February 2024. It will be implemented in 2026 and seeks to regulate the use of AI models based on their potential risks while applying stringent rules to riskier applications vs. separate regulations for general-purpose AI models such as ChatGPT. Following the EU, President Biden issued his AI executive order (EO 14110) in the United States, seeking to manage the risks stemming from AI and protect the government and American citizens.
The EU AI Act and the U.S. Executive Order on AI seek to preserve and protect the data privacy of millions of residents. To do this, there is a particular focus on identifying and mitigating the risk of fraud, misinformation and disinformation. So, while these new regulations continue to be introduced in the market, what good is data privacy without cybersecurity? This often leads me back to my drawing board. I ask myself, is my cybersecurity strategy still producing optimal results for my organization, or do I need to make changes?
3. Complexity of the Number of Certifications
Certifications formally recognize a product, system or service’s compliance with specific standard requirements. These certifications often serve as a benchmark for customers and prospects evaluating various companies and technology products to ensure that a product’s functionality, reliability, usability, efficiency and manageability are on par with the set requirements. However, the number and types of certifications can often put enormous pressure on organizations that seek to get their products certified or maintain certification. Software product certifications include, but are not limited to, NERC and the many types of ISO certifications like SOC 1 Type 1, SOC 2 Type 2, CMMC and FedRAMP. The list goes on.
However, if we closely examine the requirements of many of these certifications, we’ll find many overlaps. As an industry, I wish we would strive toward consolidating the common parts of every – or at least many – certificates and focus on differentiation when dealing with a specific certification. But I won’t hold my breath for this day to come.
My Advice on How to Effect Change in a Bad Neighborhood
If you are a CIO or CISO, I recommend that you take ownership as a good neighbor and actively support your industry peers and organizations like NIST and NCSC, which develop guidelines for securing a nation’s critical infrastructure and any organization of any size across any sector. I recommend you consider the following as the duties of a good neighbor to slowly and effectively increase the good in the bad neighborhood.
- Engage in bi-directional partnerships. Technology vendors and NIST must ramp up their collaboration to regularly review and update existing frameworks with faster feedback loops to keep up with the changing technology landscape. In a world increasingly influenced by AI, the industry cannot afford to wait another 10 years for NIST to update its CSF again.
- Harden your cybersecurity foundation. No matter which regulation or framework you are dealing with, a robust security posture will remain the bedrock for regulatory compliance and continuously protecting your sensitive assets against relentless bad actors.
- Mandate metrics. If your organization leverages CSF 2.0 or its earlier version to reduce risks, ensure that you mandate regular evaluations of specific cybersecurity and risk assessments to improvise and iterate as necessary. Voluntary evaluations can take a backseat amid a time crunch, but a mandate is often helpful in ensuring thorough evaluations regularly and periodically.
- Remember that certifications do not necessarily correlate to good security posture. My advice to any organization evaluating and procuring security products based on certifications is to remember that the success of your security programs is on implementing your initiatives within your specific environment, not using a standalone certified product.
Finally, I advise all CIOs and CISOs to do their part as good neighbors and help other good neighbors. For example, encourage proactive interaction and partnership with NIST or other governing bodies. This partnership will go a long way in a world where technology moves faster than the pace at which government can effect change. As a leader, share your experiences and knowledge base with the new generation of CIOs and CISOs. These good neighbor gestures will help build a strong community to protect against bad ones.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.