October is cybersecurity awareness month. So, what better time than now to talk about the more detailed proposals emerging from the current administration to strengthen cybersecurity, and how compliance officers and CISOs will need to work together to bring that better security into being?
You might recall that earlier this year the President issued an executive order outlining numerous cybersecurity goals he wants government agencies and federal contractors to achieve. Several weeks ago the Office of Management and Budget began filling in some of the details, with specific measures the White House wants to implement over the next three years.
The long journey to stronger cybersecurity will need to be a collaborative effort across all risk assurance functions.
To be clear, the OMB’s proposed measures are only proposals, although it’s a safe bet that most of them will be adopted as final policy goals soon enough. And technically, the proposed measures only apply to federal government agencies — though in the real world, government contractors, large corporations, and other organizations should watch Uncle Sam’s cybersecurity ambitions closely. Either you’ll need to embrace those same goals yourselves to be an attractive vendor to federal agencies, or you’ll want to implement the measures as best practices anyway.
But what are those cybersecurity objectives, exactly? And what steps would be necessary to achieve them? Let’s take a look.
The Big Objective Is Zero Trust
Above all, the Administration wants to shift to Zero Trust Architecture: An approach to cybersecurity where IT systems seek to confirm the identity of users and devices on the corporate network repeatedly.
That’s very different from the more traditional perimeter-based security, where IT systems built high walls around the network; but once a user scales those walls, they’re in — including hackers with stolen credentials, unhappy insiders poking around databases they shouldn’t, or criminal gangs that exploit holes in corporate software that you forgot to patch.
The Zero Trust model worries less about that perimeter, because it’s an outdated concept. Companies today routinely have employees working from home, or guests in the conference room using the office wi-fi, or joint venture partners collaborating on confidential data. The people, devices, and data are what need attention, at all times.
If migration to Zero Trust architecture is the goal, then several improvements to cybersecurity policies and procedures need to happen. Which brings us back to the OMB proposal for specific steps that should be implemented by October 2024, and how compliance officers and CISOs can think about the implications.
One of those improvements is stronger identity access management, so businesses have more assurance about who is using their corporate networks. OMB has proposed three specific steps it wants to see in federal IT systems:
- Single sign-on, where users sign into the enterprise IT system using the same ID and password, for all the applications and data he or she typically uses.
- Multi-factor authentication, which most of us have encountered before. You log into a system using something you know (an ID and password), but the system also sends a second, one-time entry code to something you have (usually a cell phone or a key fob).
- Stronger password policies, and this one might be welcome: no more passwords that need special characters, or that must be changed every few weeks! Instead, passwords would need to be longer, but they could be a chain of words that a person could easily remember — say, your three favorite vacation spots. (Passwords would also need to be screened against a government database of compromised passwords for sale on the dark web.)
Taken altogether, those measures would make user access both stronger for the company and easier for the user. A person would need to remember only one ID and password, and multi-factor authentication would make it much harder for hackers to put stolen passwords to work. Even if the organization imposes more log-in checkpoints, they won’t be onerous for the users.
That’s one example of the enhanced cybersecurity environment the Biden Administration wants for the federal government. It’s also a smart environment for corporate organizations generally, given the ceaselessly rising levels of cybersecurity risk out there.
This Will Require a Lot of Collaboration
Let’s assume your board and C-suite love the idea of Zero Trust Architecture. What then? How can CISOs lead the charge, and what supporting roles would risk managers and compliance officers play?
For starters, businesses would need to rely on multiple cybersecurity frameworks to guide them through the changes they would need to make. For example, NIST (the National Institute of Standards & Technology) has one framework to help with implementing Zero Trust overall, and another framework specifically for stronger passwords and multi-factor authentication.
Proceeding through those frameworks will most likely require a technology tool of some kind, so tasks can be assigned to specific people and progress measured (or tasks not done can be escalated for senior executives to, ahem, emphasize the urgency). CISOs will also need a way to map existing policies, procedures, and controls you use to those Zero Trust frameworks; it’s entirely possible that you’re performing some Zero Trust requirements already.
Compliance officers and risk managers, meanwhile, will need to assess where related risks might crop up in your company’s business processes, such as:
- Will contracts with third parties address enhanced cybersecurity measures?
- Have employees been trained on new procedures and why they’re necessary?
- Is the business correctly classifying the data it has, to apply proper security levels for privacy obligations or other risks?
- Have your policies and procedures been documented, either to demonstrate compliance to regulators or to assuage customers skittish about your own cybersecurity?
As you can see, the journey to stronger cybersecurity is going to be a long one. It will need to be a collaborative effort across all risk assurance functions — and, ideally, we’ll all be aware of cybersecurity for the whole year round, rather than just the month of October.