Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon).
While there were numerous adjustments made based on feedback during the comment period, most importantly, there was a shift in mindset from one standard for all systems and situations to a philosophy of risk based security.
Throughout the updated regulation, requirements are defined in the context of “the covered entity’s risk assessment” vs. absolute requirements for all systems and data. This is a critical shift that I hope other regulators will follow because it allows covered entities to modulate what measures are required based on the risk to each system and data set. It provides covered entities an alternative to applying the most stringent requirements equally to all systems, for example, applying two factor authentication selectively to internal applications based on accessibility and exposure.
With that said, to take advantage of this newfound flexibility, CISOs will have to put in place a formalized cyber risk assessment and management process that is defensible and documented. In large legacy enterprise environments and smaller entities alike, that is often easier said than done.
There are many facets to a robust cyber risk management program, that are beyond the scope of this article, but one best practice that is often overlooked is making security everybody’s business. Although CISOs are accountable for cyber risk management, and in the case of the NYS DFS regulation, have to sign on the dotted line, effective cyber risk management is only achievable if IT and the business teams are intimately involved. Ultimately, the IT team has technical authority over systems and data and the business team has operational responsibility, and so to be successful, it behooves CISOs to make sure everybody has skin in the game.
At the highest level, risk management focuses on the intersection of threats, vulnerabilities and business impact. The information security team mostly has responsibility for access management, threat and vulnerability management. However, to be effective at cyber risk management requires a well-run resilient infrastructure, asset management and patch management, which are typically the domain of the CIO.
Application owners in the business are the ones who determine access levels, approve access to their applications and data, approve patching of their application’s infrastructure and provide critical context for validating insider threats and compromised accounts. They are also best positioned to provide the financial metrics that measure impact of losing confidentiality, integrity and availability.
Business management is also responsible to promote the importance of security and ensure their departments can conduct their activities in a secure manner.
Finally, though beyond the scope of the NYS DFS regulation, which is focused on industry and consumer protection, the board is responsible for establishing the company’s risk tolerance and approval of investments in security. That is a lot of moving parts to coordinate and manage. To efficiently manage cyber risk requires effective business intelligence systems to consolidate all the appropriate data in one place, the appropriate analytics to automate making sense of it all, and the right decision support processes to enable everyone to do their part.
When it comes to security and cyber risk, CISOs are in the middle of it all, but they are not alone in protecting the enterprise. Collaborating with the right stakeholders, who may be outside the information security team, and equipping them with the right information and processes, makes them part of the solution instead of the problem.