CISA recently published a CPG document that simplifies baseline cybersecurity recommendations for small and medium sized companies. It’s a great guide, but is it enough to move the needle?
In October of 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) released a document titled “CPG — Cross Sector Cybersecurity Performance Goals” that lays out some guidelines for improving the cybersecurity posture and outlook of organisations. This document is intended to supplement the NIST Cybersecurity Framework created several years ago.
The CPG document discusses how many organisations, even today, still need to adopt fundamental cybersecurity protections. It also points out how small and medium-sized organisations are often “left behind” when implementing cybersecurity practices and investments. There is a “lack of consistent standards and cyber maturity across CI (critical infrastructure) sectors.”
I applaud efforts to bring such matters to our attention, no matter how often we repeat the same story. Parents and teachers know that repetition is the key to getting things to change and improve.
However, we also know that there are more effective and efficient ways to get things to change than simple repetition. It also requires simplifying difficult things, which is why this document is so important. From our perspective at Arctic Security, achieving baseline security should not be complicated.
Reading through this CPG list, I can see how Arctic EWS would help an organisation to tackle a few of the baseline capabilities:
• asset inventory (2.3)
• mitigating known vulnerabilities (5.1)
• no exploitable services on the internet (5.4)
• third-party validation of cybersecurity control effectiveness (5.6)
It can also help you to make the case to your manager on why you should dedicate time to implementing all the other CPGs since we can tell you what kinds of problems are regularly visible in your company.
The problem I see is that this document states that everything is voluntary. We know how well voluntary requirements work in the real world. I’m not saying it is always a failure, but we can point to many instances where voluntary actions lead to success. It is woefully inefficient in a world where cybersecurity issues are constantly growing.
Okay, back to teaching and parenting for a moment. There are ways to get people to do things beyond voluntary adoption. Let’s start with the one everybody hates, penalising people and organisations for non-compliance. It works well in the military, civilian world and at home. However, it also leads to rebellion, anger and a populace that is constantly trying to figure out ways to game the system and put an end to the man cracking the whip. In other words, it is not always the best solution.
The other method is through incentives — a reward system. We reward good behaviour. Heck, people pay for points and fame on video games with no value other than the proverbial “‘atta boy” pat on the back. Humans are easy sometimes.
Now, I am not saying the brownie points system is the way to get organisations to buck up and improve their cybersecurity posture. Still, it is possible to create incentive systems to get them to fall in line. Perhaps tax incentives for organisations that can show evidence of compliance? Tax planning is an industry in itself, and I can already imagine the hoops that the CFO would have the rest of the organisation jump through to achieve 1% less tax at the end of the year. The best part is that tax planning is just as critical for small businesses as it is for large ones.
Finally, this brings me to the notion of “evidence”. To prevent people and organisations from gaming the system (at least not systematically), we need to consider what criteria can serve as conclusive evidence. Some of this can be determined by adherence to today’s limited standards and are listed in the CPG document, but more is needed.
We also need to collect data from tools that track information, such as the existence of vulnerable systems and the ability of organisations to react to known attack vectors. In other words, we need to know how weak and resistant an organisation is to digital diseases.
Okay, again, I want to applaud CISA for their efforts here. Let’s kick it up a notch and do better.
This article was produced by Arctic Security.
To join the Arctic Business Journal network as a content partner, contact us at [email protected].
This article has been fact-checked by Arctic Business Journal and Polar Research and Policy Initiative, with the support of the EMIF managed by the Calouste Gulbenkian Foundation.
Disclaimer: The sole responsibility for any content supported by the European Media and Information Fund lies with the author(s) and it may not necessarily reflect the positions of the EMIF and the Fund Partners, the Calouste Gulbenkian Foundation and the European University Institute.