{"id":59224,"date":"2024-02-28T00:35:49","date_gmt":"2024-02-28T08:35:49","guid":{"rendered":"http:\/\/www.enxmag.com\/twii\/?p=59224"},"modified":"2024-02-28T00:37:03","modified_gmt":"2024-02-28T08:37:03","slug":"risk-management-the-purpose-of-cybersecurity-performance-goals","status":"publish","type":"post","link":"http:\/\/www.enxmag.com\/twii\/impact-of-it\/2024\/02\/risk-management-the-purpose-of-cybersecurity-performance-goals\/","title":{"rendered":"Risk Management: The Purpose of Cybersecurity Performance Goals"},"content":{"rendered":"\n<p><strong>In the beginning of 2023, the U.S. government\u2019s Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of the Cybersecurity Performance Goals (CPGs)\u2014a set of practices that businesses and critical infrastructure owners can take to protect themselves against hackers.<\/strong><\/p>\n\n\n\n<p>These goals, while not currently mandatory, are still crucial in the face of escalating cyberthreats, which outpace most businesses\u2019 ability to defend themselves. Managing risk and aligning with the CPGs at your organization has to be a company-wide initiative that starts at the top.<\/p>\n\n\n\n<p class=\"has-vivid-cyan-blue-color has-text-color\"><strong>The Importance of CPG Implementation<\/strong><\/p>\n\n\n\n<p>Over 2,200 cyberattacks happen each day; that\u2019s one attack every 39 seconds. Yet, only 38% of organizations feel as though they\u2019re prepared to handle an advanced cyberattack.<\/p>\n\n\n\n<p>These statistics reveal how the majority of businesses are unprepared to deal with modern threats. The exponential rise in attacks not only jeopardizes sensitive data but also poses significant financial and reputational risks to breached businesses.<\/p>\n\n\n\n<p>The underlying hope of the CPGs is that they\u2019ll spur business leaders into decisive actions to fortify their company\u2019s cybersecurity by being clear, thorough, prescriptive and pragmatic.<\/p>\n\n\n\n<p class=\"has-vivid-cyan-blue-color has-text-color\"><strong>Cybersecurity Risk Management Issues<\/strong><\/p>\n\n\n\n<p>Many business leaders don\u2019t prioritize investing in cybersecurity and lump it into their already small IT budgets. But cybersecurity isn\u2019t an IT problem; the standard IT operations employee doesn\u2019t have the skills to provide the protection a company needs. Having cybersecurity specialists, or outsourcing from a managed service provider, is the best way to ensure your business\u2019 security will be protected well enough to prevent hackers from wreaking havoc.<\/p>\n\n\n\n<p>Companies that don\u2019t focus on cybersecurity risk getting hacked at an exponentially higher rate than those that do. When companies are hacked, insurance companies want to restore the business\u2019 operations as fast as possible to limit the amount of money they have to pay in a claim. And since most cybercriminals are motivated by money, the fastest way to resume operations is by paying the ransom.<\/p>\n\n\n\n<p>By giving the hackers what they want, the vicious cycle of cybercrime continues and escalates. The best way to reduce this cycle is by investing in the proper people, processes and technology. While effective tools can stop threats, monitoring allows a company to detect and respond to incidents that do occur.<\/p>\n\n\n\n<p class=\"has-vivid-cyan-blue-color has-text-color\"><strong>How CPGs Compare to Other Security Frameworks<\/strong><\/p>\n\n\n\n<p>CISA originally published the first CPG report in October 2022. The introduction of CPGs gave business leaders more structure and a roadmap to follow.<\/p>\n\n\n\n<p>After receiving feedback requesting a more streamlined alignment with the National Institute of Standards and Technology\u2019s (NIST) Cybersecurity Framework (CSF) functions, the agency undertook a comprehensive update and reorganization of the CPGs.<\/p>\n\n\n\n<p>The CPGs\u2014which today include the outcome, risk addressed, scope and recommended action of each goal\u2014are now aligned with those CSF functions. But the CSF tends to be more descriptive when compared to the prescriptive CPGs.<\/p>\n\n\n\n<p>Additionally, CISA updated smaller components within the framework, including the incorporation of phishing-resistant multi-factor authentication (MFA) into the updated MFA goal and the addition of a goal to aid in the recovery planning capabilities of organizations.<\/p>\n\n\n\n<p>Let\u2019s take a look at some of the goals your business should work toward, divided according to the NIST CSF:<\/p>\n\n\n\n<ul><li><strong>Identify<\/strong>: Taking asset inventory, clarifying organizational and operational technology (OT) cybersecurity leadership, improving IT and OT cybersecurity relationships, mitigating known vulnerabilities, third-party validation of cybersecurity control effectiveness, supply chain incident reporting and vulnerability disclosure and outlining vendor\/supplier cybersecurity requirements<\/li><li><strong>Protect<\/strong>: Password and credential protections, separating user and privileged accounts, network segmentation, detection of unsuccessful login attempts, basic and OT cybersecurity training, encryption, secure sensitive data, system backups and incident response plans<\/li><li><strong>Detect<\/strong>: Detecting relevant threats and terrorist tactics, techniques and procedures (TTPs)<\/li><li><strong>Respond<\/strong>: Incident reporting, vulnerability disclosure and deploying security.txt files<\/li><li><strong>Recover<\/strong>: Incident planning and preparedness<\/li><\/ul>\n\n\n\n<p>In the near future, the CSF will update its framework by adding a sixth function: govern. This new element aims to guide companies in understanding how to achieve the outcomes of the other five elements with organizational structure and enforcement. As for the CPGs, the impact of this addition is not yet known.<\/p>\n\n\n\n<p>Impact, along with our cybersecurity partner DOT Security, has aligned our services with the Center for Internet Security\u2019s CIS Critical Security Controls (CIS Controls), which provide a better way for us to measure a business\u2019 cyber maturity and lay out a plan to consistently improve\u2014which is a never-ending journey, not a destination.<\/p>\n\n\n\n<p>CIS Controls are a simplified set of best practices used by thousands of cybersecurity professionals worldwide and allow businesses to:<\/p>\n\n\n\n<ul><li><strong>Simplify their approach to protecting against threats<\/strong>: CIS Controls provide a streamlined cybersecurity strategy to safeguard an organization.<\/li><li><strong>Comply with industry regulations<\/strong>: The tools and best practices can help organizations meet compliance requirements for cybersecurity policy, regulatory and legal frameworks.<\/li><li><strong>Accomplish essential cyber hygiene<\/strong>: The majority of effective cyberattacks take advantage of \u201cpoor cyber hygiene,\u201d such as neglected software, inadequate configuration management and a reliance on outdated solutions. The CIS Controls help businesses \u201cclean up\u201d their systems.<\/li><li><strong>Turn information into action<\/strong>: CIS Controls acknowledge that modern systems and software are constantly changing, leveraging this awareness to facilitate the ongoing evolution of assets in accordance with the security objectives of your business.<\/li><li><strong>Follow the law<\/strong>: Numerous states mandate that executive branch agencies and other governmental entities adhere to cybersecurity best practices. Several of these explicitly cite the utilization of CIS Controls as a means to showcase a \u201creasonable\u201d standard of security.<\/li><\/ul>\n\n\n\n<p>The threat of cyberattacks evolves faster than most businesses can keep up with, meaning the cybersecurity industry must continuously evolve to protect against threats.<\/p>\n\n\n\n<p class=\"has-vivid-cyan-blue-color has-text-color\"><strong>Looking Into the Future<\/strong><\/p>\n\n\n\n<p>This is only the beginning of cybersecurity oversight. Although they\u2019re currently voluntary, the CPGs may eventually become industry regulations that could result in fines and other sanctions for companies that ignore the proper cybersecurity procedures.<\/p>\n\n\n\n<p>Companies will also continue to be encouraged to prioritize cybersecurity, as it will become increasingly difficult for businesses to obtain cyber insurance and loans from financial institutions without them. The absence of evidence demonstrating compliance with minimum security standards may result in the loss of customers.<\/p>\n\n\n\n<p>The current scope of the CPGs encompasses cybersecurity measures across various sectors. However, CISA is actively collaborating with Sector Risk Management Agencies to initiate category-specific guidelines for each critical infrastructure division.<\/p>\n\n\n\n<p>These are expected to either be customized toward specific sectors or provide resources designed to help implement existing CPGs for each category. The creation of these goals will enhance targeted protective measures, addressing the unique needs of each sector.<\/p>\n\n\n\n<p>A highly effective strategy in confronting cyber risks is educating businesses on the topic of cybersecurity risk management. Notably, at Impact, we\u2019ve observed both prospects and clients actively increasing their knowledge of cybersecurity, resulting in more questions and interest compared to the year before. I don\u2019t believe it\u2019s enough, but the more it\u2019s talked about, the better off we\u2019ll all be.<\/p>\n\n\n\n<p>Although the CPG suggestions alone aren\u2019t enough to prevent cyberattacks, engaging in ongoing discussions about cybersecurity and devising strategies to manage risks stands out as the most effective means to keep your business as safe as possible. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the beginning of 2023, the U.S. government\u2019s Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of the Cybersecurity Performance Goals (CPGs)\u2014a set of practices that businesses and critical infrastructure owners can take to protect themselves against hackers. These goals, while not currently mandatory, are still crucial in the face of escalating cyberthreats, which outpace most businesses\u2019 ability to defend themselves. Managing risk and aligning with the CPGs at your organization has to be a company-wide initiative that starts at the top. The Importance of CPG Implementation Over 2,200 cyberattacks happen each day; that\u2019s one attack every 39 seconds. Yet, only 38% of organizations feel as though they\u2019re prepared to handle an advanced cyberattack. These statistics reveal how the majority of businesses are unprepared to deal with modern threats. The exponential rise in attacks not only jeopardizes sensitive data but also poses significant financial and reputational risks to breached businesses. The underlying hope of the CPGs is that they\u2019ll spur business leaders into decisive actions to fortify their company\u2019s cybersecurity by being clear, thorough, prescriptive and pragmatic. Cybersecurity Risk Management Issues Many business leaders don\u2019t prioritize investing in cybersecurity and lump it into their already small IT budgets. But cybersecurity isn\u2019t an IT problem; the standard IT operations employee doesn\u2019t have the skills to provide the protection a company needs. Having cybersecurity specialists, or outsourcing from a managed service provider, is the best way to ensure your business\u2019 security will be protected well enough to prevent hackers from wreaking havoc. Companies that don\u2019t focus on cybersecurity risk getting hacked at an exponentially higher rate than those that do. When companies are hacked, insurance companies want to restore the business\u2019 operations as fast as possible to limit the amount of money they have to pay in a claim. And since most cybercriminals are motivated by money, the fastest way to resume operations is by paying the ransom. By giving the hackers what they want, the vicious cycle of cybercrime continues and escalates. The best way to reduce this cycle is by investing in the proper people, processes and technology. While effective tools can stop threats, monitoring allows a company to detect and respond to incidents that do occur. How CPGs Compare to Other Security Frameworks CISA originally published the first CPG report in October 2022. The introduction of CPGs gave business leaders more structure and a roadmap to follow. After receiving feedback requesting a more streamlined alignment with the National Institute of Standards and Technology\u2019s (NIST) Cybersecurity Framework (CSF) functions, the agency undertook a comprehensive update and reorganization of the CPGs. The CPGs\u2014which today include the outcome, risk addressed, scope and recommended action of each goal\u2014are now aligned with those CSF functions. But the CSF tends to be more descriptive when compared to the prescriptive CPGs. Additionally, CISA updated smaller components within the framework, including the incorporation of phishing-resistant multi-factor authentication (MFA) into the updated MFA goal and the addition of a goal to aid in the recovery planning capabilities of organizations. Let\u2019s take a look at some of the goals your business should work toward, divided according to the NIST CSF: Identify: Taking asset inventory, clarifying organizational and operational technology (OT) cybersecurity leadership, improving IT and OT cybersecurity relationships, mitigating known vulnerabilities, third-party validation of cybersecurity control effectiveness, supply chain incident reporting and vulnerability disclosure and outlining vendor\/supplier cybersecurity requirements Protect: Password and credential protections, separating user and privileged accounts, network segmentation, detection of unsuccessful login attempts, basic and OT cybersecurity training, encryption, secure sensitive data, system backups and incident response plans Detect: Detecting relevant threats and terrorist tactics, techniques and procedures (TTPs) Respond: Incident reporting, vulnerability disclosure and deploying security.txt files Recover: Incident planning and preparedness In the near future, the CSF will update its framework by adding a sixth function: govern. This new element aims to guide companies in understanding how to achieve the outcomes of the other five elements with organizational structure and enforcement. As for the CPGs, the impact of this addition is not yet known. Impact, along with our cybersecurity partner DOT Security, has aligned our services with the Center for Internet Security\u2019s CIS Critical Security Controls (CIS Controls), which provide a better way for us to measure a business\u2019 cyber maturity and lay out a plan to consistently improve\u2014which is a never-ending journey, not a destination. CIS Controls are a simplified set of best practices used by thousands of cybersecurity professionals worldwide and allow businesses to: Simplify their approach to protecting against threats: CIS Controls provide a streamlined cybersecurity strategy to safeguard an organization. Comply with industry regulations: The tools and best practices can help organizations meet compliance requirements for cybersecurity policy, regulatory and legal frameworks. Accomplish essential cyber hygiene: The majority of effective cyberattacks take advantage of \u201cpoor cyber hygiene,\u201d such as neglected software, inadequate configuration management and a reliance on outdated solutions. The CIS Controls help businesses \u201cclean up\u201d their systems. Turn information into action: CIS Controls acknowledge that modern systems and software are constantly changing, leveraging this awareness to facilitate the ongoing evolution of assets in accordance with the security objectives of your business. Follow the law: Numerous states mandate that executive branch agencies and other governmental entities adhere to cybersecurity best practices. Several of these explicitly cite the utilization of CIS Controls as a means to showcase a \u201creasonable\u201d standard of security. The threat of cyberattacks evolves faster than most businesses can keep up with, meaning the cybersecurity industry must continuously evolve to protect against threats. Looking Into the Future This is only the beginning of cybersecurity oversight. Although they\u2019re currently voluntary, the CPGs may eventually become industry regulations that could result in fines and other sanctions for companies that ignore the proper cybersecurity procedures. Companies will also continue to be encouraged to prioritize cybersecurity, as it will become increasingly difficult for businesses to obtain cyber insurance and loans from financial institutions without them. The absence of evidence demonstrating compliance with minimum security standards may result in the [&hellip;]<\/p>\n","protected":false},"author":304,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4428],"tags":[],"_links":{"self":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/59224"}],"collection":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/users\/304"}],"replies":[{"embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/comments?post=59224"}],"version-history":[{"count":3,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/59224\/revisions"}],"predecessor-version":[{"id":59227,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/59224\/revisions\/59227"}],"wp:attachment":[{"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/media?parent=59224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/categories?post=59224"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/tags?post=59224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}