On March 1, the Biden/Harris Administration published the updated National Cybersecurity Strategy. Building on the cybersecurity strategies of previous administrations released in 2008 and 2018, the updated strategy outlines the current Administration’s plan to enhance the cybersecurity and resilience of the nation’s underlying digital ecosystem, which supports basic functions of the economy, operation of critical infrastructure, data privacy, national defense, and more.
This document is important to all US-based Chief Information Security Officers (CISOs) for a number of reasons. First, this strategy will directly impact all public-sector companies and their immediate vendor ecosystem. Next, strategic initiatives in this document will have significant ramifications specifically for all critical infrastructure vendors in the US. Finally, the National Cybersecurity Strategy will have implications for all private sector companies providing services to the organizations mentioned above.
As with any good strategy document, the National Cybersecurity Strategy begins by outlining the current state of the general cybersecurity environment. Next, the document defines the desired future state of cybersecurity and highlights the good work that has already been accomplished by others, which it proposes to leverage and build on. Finally, the document presents the five pillars of the strategy itself, each of which serves as an overarching theme with supporting objectives and initiatives to guide implementation.
In analyzing this document, I realized I was looking at it from at least four different points of view; four different hats, if you will:
- As a CISO for a cloud-first company that relies on multiple vendors and service providers for its day-to-day operations. A CISO who needs to protect their own company.
- As a CISO for a technology company that develops software products and services that can become part of a supply-chain attack. A CISO who needs to protect their customers.
- As a CISO of a security software vendor looking to help its customers adapt and respond to this cybersecurity strategy to enhance their security posture. An experienced CISO who is acting in the capacity of a trusted advisor.
- Last but not least, as SafeBreach, a company that needs to understand what the National Cybersecurity Strategy means in terms of our security posture and program.
Each of these perspectives provides a different lens through which to review and digest this strategy. In this post—the first of a three-part series—I will unpack the cybersecurity strategy by distilling the introductory themes and pillars through each of these unique lenses. In doing so, I hope to help others who share similar roles begin to understand, prepare for, and ultimately operationalize the guidance provided in the National Cybersecurity Strategy. While some aspects of the strategy may not apply directly to any of these different perspectives, it still provides some very interesting and worthwhile aspects to consider.
Strategic Environment: Where do we operate?
The National Cybersecurity Strategy begins by recognizing the current ecosystem. First, it addresses emerging trends—not just those that pertain to cybersecurity but also to the overall digital ecosystem—that include new technologies and the hyper-connectivity of our increasingly digital world.
The interpretation of this section is similar for all four perspectives. As a CISO, new technologies and added connectivity have the opportunity to greatly enhance the efficiencies of my organization, but I must remain aware of the way that this also increases my attack surface. As a product CISO, adding new technologies and capabilities to our products and services can enhance the value we provide to customers, but also comes with added supply-chain risks. Our customers also face these same risks and, as a trusted advisor, we have an opportunity to help them address them in a meaningful way.
Next, the section highlights the challenges and external forces that impact our strategic environment, including malicious actors like China, Russia, Iran, and North Korea. This is a strong reminder that, regardless of size, industry, product type or job title, these malicious actors are a threat to us all. And, as clearly expressed in this strategy document, the Administration views their role as helping not only to protect various government agencies and public sector organizations, but private sector organizations as well.
Our Approach: Where do we want to go?
Next, the document defines the desired future state of cybersecurity, which is to enhance the resilience of the national infrastructure in cyberspace. To accomplish this, it recognizes the need to first reduce the cybersecurity burden traditionally shouldered by individuals and small organizations and also incentivizes organizations to prioritize long-term security initiatives. Namely, how can the government increase accountability and responsibility and, at the same time, build incentives that reward security-by-design? Again, there are clear parallels between all four perspectives of my role.
As a CISO in charge of protecting my company, I need to rebalance how we assign and expect responsibility from our employees, security tools, partners, and vendors. Simultaneously, I must figure out how to reward and incentivize my employees, my partners, and my vendors to accept this responsibility.
As a CISO for a company creating software products and services, I must consider how to move from speed-to-market to secure speed-to-market. Recognizing that we must accept liability for the products and services we provide is fundamental. I also can’t let my vendors and supply chain shrug off their liability. I must hold them to the same high standard I expect from my company. It also is important to identify how I can incentivize my product and development groups to follow security-by-design. Similarly, as I look to my role as a trusted advisor to our customers, how can I help them achieve this same rebalancing act?
Finally, as a company, SafeBreach must incorporate what is likely to come down in the form of requirements from SafeBreach to help reach that future state of cybersecurity. To meet this path, what would we need to build into our security program?
Building on Existing Policy: How do we leverage existing work?
Most strategies should evolve rather than simply be replaced every three years, and this document is no different. The final section of the introduction highlights the good work that has already been accomplished by individuals, organizations, and previous administrations, which the Administration proposes to leverage and build on.
This section serves as an important reminder as I consider the parallels to each of my roles. As I look to support my business partners inside and outside of SafeBreach, I have to build on what is already there and help bring them to the next level, not just in terms of capabilities and features but also in terms of security. As CISO, I must expand on the work we have already done in building better, more secure code and services. And finally, as a trusted advisor to our customers, I need to help them achieve their strategic goals by acknowledging what they have already accomplished, while establishing a plan to reach their desired future cybersecurity goals. For any CISOs wearing the trusted advisor hat, I recommend developing an understanding of your customers’ current state and high-level strategic goals.
As a company, SafeBreach already made significant investments into our cybersecurity program based on the 2018 Cybersecurity Strategy and various executive orders (EOs). It is encouraging to know that work will not go to waste or need to be overhauled. Rather, this strategy helps organizations like SafeBreach build on the work we have already accomplished.
Theme 1: Defend Critical Infrastructure
At a high level, this overarching theme is very simple and can be easily adapted by any of the roles I play at SafeBreach. As the CISO for SafeBreach, I need to protect my company, our employees, and our customers. As the CISO for a company that develops software products and services, I need to make sure that I defend my development and delivery/production infrastructure. As a trusted advisor, I need to help our customers defend their infrastructure with the tools/services we provide them.
While SafeBreach is not considered a critical infrastructure company, many of our customers are. As a security platform provider to those customers, we need to be ready to support them in complying with any new regulations or standards incorporated into the different regulatory environments. We can also help our customers validate that their systems are more defensible and resilient.
Initiative 1.1: Define requirements.
Most CISOs may misread this initiative as the government’s desire to regulate cybersecurity. The term regulation is used throughout this initiative. A closer reading shows that this initiative is not much different from defining, clarifying, and streamlining security requirements across the infrastructure. It also looks at investing in implementing and enabling constituents to follow the associated policies and processes. This is a call to action for CISOs to recognize opportunities to streamline and build shared policies, processes, and tools.
As the CISO for SafeBreach, I must provide clear requirements and policies for my organization. For example, I don’t want our finance department to have a different password policy than our human resources department or sales group. In the same way, I would rather secure one collaboration platform and leverage one storage solution. I must then provide the right training tools to help all employees understand and implement these policies.
As the CISO responsible for product/service delivery, I must provide clear requirements and policies for our organization’s development and the downstream vendors we use to build and deliver our products and services. For example, I want my development organization to stick to a single SDLC throughout the entire development organization. I also want my vendors to have similar SDLC processes. I then need to facilitate the work of the development organization to follow these development practices, identify secure supply-chain partners, and give them the tools they need to build security-by-design.
Next, as a trusted advisor to our customers, I need to first understand our customers’ cybersecurity program requirements and, if needed, help them define these. Then, I want to help customers understand how to best utilize our platform in a way that meets their requirements and gives them the most return on investment. I can facilitate this by building reusable use cases and workflows that all my customers in a certain industry vertical can leverage, for example.
Finally, as a company, SafeBreach can help our customers comply with the guidelines from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). While SafeBreach is not currently in a regulated industry, as stated previously, most of our customers are. Too often, different regulatory frameworks have different and, at times, conflicting requirements. To give a simple example, in the event of a breach of personally identifiable information (PII), each state has different notification thresholds and requirements. For some states, a company needs to notify customers only if more than 1,000 individuals are involved; for some, the threshold is 500 or even 250 individuals. Then some states require the company to notify the state’s attorney general before notifying the impacted individuals; others require it the other way around. Streamlining and harmonizing new and existing regulations will help companies comply.
Initiative 1.2: Scale collaboration across the organization.
This initiative is focused on creating the space to allow collaboration between business units across an organization. SafeBreach is a small company, and collaboration is fairly simple. However, in my experience working at large organizations, this collaboration needs to be improved. Not surprisingly, this is particularly relevant to organizations with federated business groups or even federated services. This initiative calls for one body to help coordinate collaboration and facilitate practice sharing across the different federated bodies. Taking this as a metaphor for smaller organizations, think about how easy it is for silos to form across an organization. Collaborating and sharing across the organization can help all involved to break through those silos and gain some unexpected efficiencies.
As the CISO for SafeBreach, I find that being able to share security initiatives across the organization, rather than focusing on each department/division, helps provide everyone with greater context around cybersecurity and why we pursue certain security initiatives. It also helps create feedback that would otherwise be lost.
As a product CISO, I must find opportunities for multiple development groups/products to collaborate on tooling and leverage shared tools and data where possible. This typically promotes sharing of best practices and may occasionally even prevent a team from “reinventing the wheel” that a different team has already figured out.
As a trusted advisor, I often see companies that would benefit if two or more teams leveraged our platform. We see many examples where security teams across our customers’ organizations are siloed, and our platform can serve as a collaborative tool. We can help companies identify these opportunities and the synergies they can derive from this level of collaboration.
As a company, SafeBreach welcomes this initiative. We already integrate CISA’s collaboration with the private sector and translate their advisories and notifications into actionable content that our customers can leverage to validate their security infrastructure against shared threats.
Initiative 1.3: Integrate different security programs and initiatives.
This initiative addresses the opportunity for the federal government to consolidate its purchasing power to drive efficiencies that promote security. In my experience with large organizations, different groups—even within the same security organization—would often use different tools and standards. To overcome this challenge, organizations must look for opportunities to integrate different tools to create what Gartner calls the Cybersecurity Mesh Architecture, where the different components and layers of security are interconnected and provide a better, clearer picture of the threat and the defensive controls.
As the CISO for SafeBreach, a common challenge I run into is that different departments need similar tools but wind up getting different ones. The obvious potential benefit here is being able to get a preferable pricing structure with a larger consolidated purchase. This also means that from the security point of view, I only need to secure one tool rather than multiple tools.
As a product CISO, leveraging the integration of tools throughout the development/deployment process and feedback from the production environment can greatly improve the efficacy and security of our platform. The obvious example is how leveraging one shared library for input/output sanitization is much more efficient than using different libraries for different modules of our platform.
As a trusted advisor, we have the opportunity to help our customers integrate our platform with their security portfolio. This ultimately enhances the overall value proposition of all involved, including our customers, our platform, and other security platforms they leverage.
While this initiative is more internally focused, SafeBreach welcomes this initiative as it is likely to enrich the overall threat intelligence and guidelines provided by the different federal cybersecurity centers. This will help both SafeBreach and the customers using our platform be more secure with up-to-date consolidated threat intelligence.
Initiative 1.4: Update our incident response plans and processes.
In this initiative, the Administration is looking to help different constituencies stay up to date in response to current and emerging threats and incidents. More specifically, the Administration wants to make sure that incident response is coordinated and unified across the federal government. It also seeks to establish clear communication lines so that, in the event of a cyber-attack, those involved know where to report it. At the same time, the Administration is looking to make sure that even if an incident is reported to the wrong agency, the reporting organization does not have to look for the correct reporting channel. I particularly like the use of the phrase “a call to one, is a call to all.”
In both the internal and product CISO hats, it is incumbent on me to make sure my constituents know how to respond to incidents and whom to contact in case of an incident. Too often, I see CISOs create a state-of-the-art incident response plan, then fail to share it with anyone outside the security group. When an incident happens, my constituents should not have to figure out, in the moment, where they should report it. Next, I must also ensure that if any one of our security resources gets an incident report, they don’t tell the reporter they need to go to another individual on the security team. Rather, this person needs to take ownership and bring the report to the correct individual on the security team.
In my trusted advisor hat, I have the opportunity to work with my customers to show them how the SafeBreach platform can help in testing out and updating their organization’s incident response plans and processes.
The last paragraph refers to the Cyber Safety Review Board (CSRB) bringing together public and private cybersecurity leaders to “guide industry remediations and provide recommendations for improving the nation’s cybersecurity posture moving forward.” As a company, SafeBreach can play an important role in helping our customers validate that these remediation efforts are working as expected.
Initiative 1.5: Modernize our current defenses.
The threat landscape is ever-evolving. This initiative recognizes that we must ensure that our current security portfolio is up-to-date and that our defenses keep up with the different activities, roles, and resources of different constituencies. Adapting to emerging threats and new malicious actors is critical. This initiative builds on the zero trust principles directions already initiated through Executive Order 14028 and starts addressing the security “technical debt”. While the following strategic themes address this issue as well, the Administration is recognizing that there are legacy systems that are not resilient or easily secured and that there must be a concerted effort, over time, to update these systems, or make sure a proper remediation is planned.
As the internal CISO at SafeBreach, this is very straightforward. We too have legacy systems that do not fit well within our zero trust architecture. Where possible, we need to update these systems or create a suitable remediation plan.
As the product CISO, I must monitor emerging threats and incidents impacting the SafeBreach development organization, including our supply chain. This is especially important as development organizations tend to build up technical debt in code. This is often evident in use of old open-source libraries and tools with known vulnerabilities.
As a trusted advisor, I need to help our customers understand how they can leverage our platform to adapt to this evolving threat landscape. This initiative brings up the Software Bills of Material (SBOM) topic. As a vendor, SafeBreach will make its SBOM available to its customers. This initiative will help assure our customers that when a new supply chain vulnerability is announced, it does not trickle through our platform and make us a supply-chain threat to them.
What to Expect Next
As you can see, the Administration has been incredibly deliberate about this strategy update not only to explain the federal government’s approach to cybersecurity, but also to provide guidance to organizations as they develop their own forward-looking plan. Stay tuned for subsequent posts, in which we’ll provide an analysis of each of the remaining pillars of the National Cybersecurity Strategy, including:
- Pillar 2: Prevent Attacks
- Pillar 3: Disrupt and Dismantle Threat Actors
- Pillar 4: Shape Market Forces to Drive Security & Resilience
- Pillar 5: Invest in a Resilient Future