Recently, I was asked to imagine that I had been granted an hour with top officials at the Cybersecurity and Infrastructure Security Agency (CISA) – what advice would I offer to help it have an even bigger impact in 2023 and beyond?
It was only in 2018 that the US government created CISA under the auspices of the Department of Homeland Security. In just a handful of years, its people have done an admirable job. The quality of content CISA releases is consistently top-notch, whether they are advisories, infographics, or videos. Its releases are educational, accessible, and timely — essential in a fast-moving field like cybersecurity.
Another strength are the technical indicators the agency provides to help frontline security practitioners apply to their tooling, to catch intruders in the act or prevent them from entering in the first place.
But as the number of cyberattacks continues to grow and become more complex, CISA can build on that success and do even better. In that spirit, I would offer this advice in my imaginary sit-down with CISA officials.
Updating the Cybersecurity Framework and measuring progress
From my perspective, the agency could collaborate with NIST to update the Cybersecurity Framework it put out in 2014 and updated in 2018 — what people refer to as the NIST Cybersecurity Framework (CSF) version 1.0. The original addresses each organization or enterprise as a monolith. The Department of Homeland Security has subsequently provided industry specific implementation guidance.
In a refresh, CISA and NIST should acknowledge the reality that an organization is made up of component parts including the network, the cloud, mobile and countless endpoints (and therefore many separate potential vulnerabilities). Version 2.0 of the framework would enable organizations to better address the disparate security issues inherent in each of these elements.
I’d also suggest adding a measuring stick that helps an organization understand where it is relative to the best practices laid out in the cybersecurity framework. The prescriptions the agency spells out are generally simple and direct. But I would recommend something like a progress bar that shows an organization whether it is 20 percent of the way toward the prescribed best practices or 60 percent.
In a world where organizations must make decisions addressing business risk, knowing what is good, better, or best can be very helpful. With cyberthreats and recommended best security practices continually evolving, no organization can ever be fully caught up. And yet, seeing its status on a maturity and adherence scale would help an organization better understand its vulnerabilities and priorities.
Build the brand and broaden the focus
Marketing is another area I’d bring up in my imagined meeting. Everyone in the security field is contending with a flood of content and an endless barrage of news and threat bulletins. CISA’s materials are great for cutting through the noise. And yet, too few companies and organizations are seeing what CISA produces and following its valuable advice.
I’d tell CISA officials: Your products are one of your great strengths, but there is room for improvement in terms of reaching a bigger audience.
The agency also needs to broaden its focus. Right now, CISA concentrates on three main audiences:
1. All levels of government
2. Large enterprises
3. Critical infrastructure (such as the electricity grid and the country’s water systems)
For security professionals working in one of these three key areas, CISA does a fine job of issuing advisories and support materials. And understandably, CISA in its early years needed to set priorities as its people built a new entity.
Now’s the time for expanding the mission, and creating the capacity to support medium- and smaller-sized businesses and organizations — which are just as vulnerable as their larger counterparts and often in even greater need of help.
I recognize that CISA can do only so much with the money Congress grants it, but the recent omnibus spending agreement allocating a $2.9 billion budget for 2023 is a step in the right direction. This year, that could mean broadening to include medium-sized entities that employ as few as 500 people. After that, federal funds willing, CISA officials could take on the challenge of reaching smaller organizations.
Fuller sharing can promote trust
Finally, CISA needs to be part of a solution that helps coax more information from companies that have had a breach. Some intrusions require a company to alert the public, but many do not, which has meant an inconsistency in the reporting of vulnerabilities. It’s in the public interest to have a more consistent set of reporting rules and a mechanism in place for handling that information. The faster people get the intelligence out there, the less severe the impact of an attack.
Some argue that CISA should lower the threshold for the mandatory reporting of a cyber incident. I don’t think we’re at that point, at least not yet for breaches that don’t compromise customer personal information. First there’s the question of what the government would do with that self-reported data.
The key for CISA is to build trust. That means providing clarity on how the data a company shares would be used, and also how it would be protected, to avoid the stigma of public shaming. Promise anonymity for certain reporting cases if that’s what it takes.
There’s also a chance to highlight positive stories to counter the gloom-and-doom that marks most security coverage in the news media. More often than the public knows or hears, an organization successfully fends off and neutralizes an intruder because of the security systems they have in place. Those hero stories merit attention, and CISA could help promote them — again, even with anonymity – lest the boastful would-be victim invite additional attacks.
But no matter what steps it takes in 2023, I look forward to CISA’s continued excellence in its areas of strength — sharing information and best practices.
Attackers will continue using the moves that work, such as phishing attacks and ransomware. And why not? I liken it to basketball, where attempting 3 pointers far from the rim makes little sense when a player can consistently score taking the easy layups. It’s incumbent on critical agencies like CISA to do everything in its power to help organizations ensure that they’re prepared as best they can for the next attack.