CIOPerspective
ment needed is relatively modest.
Although estimates vary greatly, the total loss due to
cybersecurity breaches is in the hundreds of billions of dollars per year.
A 2016 report by Cybersecurity Ventures states that cybercrime will cost more than $6 trillion worldwide by 2019. The report’s authors said they based that esti- mate “on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hack- ing activities, a cyberattack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be
them identify a rational way forward to best address that risk.
Valuable tools for reducing risk
As daunting as the challenge can be, organizations are facing the fact that they must triage the problems and focus on minimizing the risk that can do the most harm to the organization.
To that end, I want to showcase two tools that are being adopted as de facto standards for use in support- ing organizations in their cybersecurity enterprise risk management efforts. The first tool is the National Insti-
pitted against hackers and cybercriminals over that time.”
Factor 3: Lack of IT professionals
Organizations are facing the fact that they must focus on minimizing the risk that can do the most harm to the organization.
tute of Standards and Technology’s Cyber- security Framework, which was developed under an executive order issued by Presi- dent Barack Obama to address cybersecu- rity risks to the critical infrastructure sector.
In describing the framework, NIST states: “The framework helps an organization to bet- ter understand, manage and reduce its cyberse-
The third factor making
cybersecurity defense
so difficult is the lack of
available talent. Again
estimates vary, but Cisco
said 1 million cyberse-
curity jobs are currently
unfilled on a worldwide
basis. Most large organiza-
tions struggle to find, develop and then retain such talent.
curity risk. It will assist in determining which activi- ties are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.”
The framework outlines a rigorous seven-step process that results in an action plan to implement investments that will have the greatest positive impact on an organi- zation’s cybersecurity posture. And NIST did not develop the framework in a vacuum. It was crowdsourced with the support of more than 3,000 people from diverse parts of industry, academia and government.
Furthermore, the framework is not just about pro- tecting systems and data. It also covers the cybersecu- rity life cycle, from identifying threats to implementing protections, and addresses how to detect, respond and recover from intrusions.
According to Gartner, more than 50 percent of U.S.- based organizations will use the NIST Cybersecu- rity Framework by 2020, up from 30 percent in 2015. Recently, President Donald Trump issued a cybersecu- rity executive order that directs all agencies to adopt and use the framework to address their enterprise risk management posture.
In large organizations, the complexity of the IT ecosystem requires proper management of that environment (e.g., rigorous software patching) and proper implementation and monitoring of tools to support the organization’s cybersecurity posture. Such tools include identity management and access control, firewalls and intrusion-detection systems.
All those activities must be done effectively in an environment in which it is difficult to find and retain the talent necessary to implement and monitor such systems. No wonder so many organizations are strug- gling (more than they will admit publicly) to properly manage and secure their IT systems.
Although I believe we, as an industry, are still losing ground to our adversaries, there are some positive devel- opments. The awareness of cybersecurity risk among CEOs, board members and leaders of government organi- zations has increased significantly in the past five years, and many organizations recognize that cybersecurity breaches are the greatest business risk they face.
Accordingly, organizations are becoming more sophis- ticated in treating the challenge as an enterprise risk management problem, and they are using tools to help
40 August 2017 FCW.COM