Something historical occurred in March: The New York Department of Financial Services enacted the first-in-nation cybersecurity regulation for financial institutions. While banks, credit unions and insurers in New York are directly affected, the far-reaching implications are impossible to ignore. Groundbreaking regulation in one part of the country can easily drive change in other areas, and in other industries.
More importantly, New York's cybersecurity regulation highlights an inescapable shift in how businesses and regulators alike are starting to view cybersecurity – namely, as a risk-based endeavor. The new law requires financial institutions to tailor a formal cybersecurity strategy based on ongoing risk assessments.
This is significant in that it's a huge departure from traditional security models (and for that matter, regulation) where the idea was to create hard-and-fast rules about controls. With the rapid growth in public and private cloud IT infrastructure, networks have become extraordinarily dynamic. The way we protect our IT environments must evolve in kind.
Creating a minimum baseline
"Organizations that comply with CIS reduce risk by 94 percent."
Customization is the name of the new cybersecurity game. The defenses that work for one organization won't necessarily cut it for another namely because those two entities probably have a different set of risks based on their operations. These risks may be associated with regulations and guidelines (FFIEC for banks, HIPAA and HITECH for hospitals, PCI DSS for retailers, etc.), but also IT operational requirements.
But while there isn't a blanket cybersecurity strategy for every organization, there are a few core security control principles that apply to most, if not all, businesses. These principles were created by the Center for Internet Security (CIS), a group of cybersecurity experts that aims to improve cyber risk mitigation through a set of key baseline requirements. This set of critical security controls includes the following:
- Creating an inventory of authorized and unauthorized endpoints.
- Doing the same for applications.
- Establishing security configurations for all endpoints and servers, as well all software.
- Continually running vulnerability assessments and remediation.
- Managing administrative and user access privileges.
Subsections with these precepts provide greater specificity. Still, the precise nature of the security control and level of adherence to them will vary. For instance, for No. 5 on the list, some organizations may require multifactor authentication for certain systems as a way to refine user access privileges. Other low-risk systems may not need MFA. In respect to No. 1, no two networks' configurations will ever be the same. Likewise, for No. 4, the nature of a constant vulnerability assessment may vary slightly according to configurations. But every organization, regardless of size, should be continually assessing their networks for threats.
Complying with CIS: It takes a SOC
It's important to note that unlike NY DFS's cybersecurity regulations, CIS's critical security controls are by no means mandatory. Nevertheless, they do overlap with compliance standards set forth under HIPAA, PCI DSS and others, and they provide a framework for businesses that want to improve their security posture. More importantly, they create a wire frame for developing a risk-based approach to cybersecurity. Lastly, organizations that comply with the five principles and their sub-sections reduce risk by about 94 percent, according to CIS.
So what is the best way to comply with CIS? The answer is a security operation center. But before you scoff at the suggestion on account of how expensive building, managing and maintaining a SOC is, know that there are cost-effective, reliable alternatives. One example is SOC-as-a-Service. Unlike the traditional MSSP, SOC-as-a-Service encases a particular benefit known as managed detection and response (MDR). MDR takes a bigger picture view of how network security controls can be improved based on the unique risks of a given organization.
In other words, MDR complies with CIS at a high level, and then takes a deep dive to help implement a more granular risk-based cybersecurity strategy.