Recent developments in the cybersecurity landscape have brought a renewed sense of urgency and importance to the need for secure organizations. Various federal entities, including the Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and the White House, have all released updated guidelines and policies to address cyber defenses, preparedness, and skilled talent. In addition, the US Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements that are expected to promote transparency and communication in the business sector.
However, while these efforts are commendable, they also introduce challenges for organizations that may not be prepared to meet the increased oversight and reporting requirements. Many security leaders currently lack the means to gather evidence and data to demonstrate their readiness to boards and executive leadership. As a result, less than 60% of organizations are confident in their breach readiness and incident response capabilities. Additionally, more than half of security leaders believe that their cybersecurity teams do not have the necessary data to properly respond to cyber threats.
To address these challenges and comply with government guidelines, organizations must adopt more effective approaches to building and proving their cyber capabilities. This paradigm shift requires several key actions. Firstly, organizations need to provide specific metrics that can demonstrate their resilience and capabilities. Currently, the measurement of cybersecurity effectiveness is limited, hindering the ability to identify strengths and weaknesses. By establishing better methods for assessment and proof, organizations can advance their cyber resilience and respond to the pressure from boards to demonstrate cyber resilience.
Secondly, organizations should move away from relying solely on technological “spot solutions” to address cybersecurity challenges. While there is no shortage of security tools available, implementing them as standalone solutions can leave organizations vulnerable to attackers. Instead, organizations should consider consolidating their tools and focusing on building a capable workforce that can effectively respond to cyber threats. Gartner predicts that a focus on the human element will become increasingly important in the cybersecurity landscape.
Lastly, organizations need to prioritize a people-centric approach to cybersecurity. Traditional training methods such as certifications, table-top exercises, and classroom work may not be sufficient to combat the evolving nature of cyberattacks. Despite increased training investments, a significant percentage of cyber leaders do not believe their teams have the capabilities to respond to future attacks. To address this, hiring practices should be reevaluated to ensure that qualifications and certifications are not the sole determining factors. This approach is particularly important to address the ongoing staffing challenges and talent gap in the cybersecurity industry.
In conclusion, the recent emphasis on cybersecurity from various federal entities is a step in the right direction. However, it also highlights the need for organizations to adapt and improve their cybersecurity capabilities. By providing specific metrics, moving away from technological spot solutions, and adopting a people-centric approach, organizations can better position themselves to combat cyber threats and prove their resilience to boards and company leadership. With strategic metrics and proof points, cybersecurity leaders can align their organizations for defense in the ever-changing threat landscape.