When Will Security Frameworks Catch Up With the New Cybersecurity Normal?

When Will Security Frameworks Catch Up With the New Cybersecurity Normal?

Now that the system shock for IT systems and organizations from the pandemic (not to mention the horrific human amount) has begun to subside, we are seeing the emergence of a whole new landscape for cybersecurity. Before last year, most organizations were most dependent on a personal workforce in company-owned or leased buildings, with teleworking reserved for contractors or traveling managers and salespeople.

Then came a global pandemic that, among other things, made it a real danger to work face to face. Many companies had to shift their entire workforce over to work from home, literally from one day to the next. As awful as it was, one of the most important things about the pandemic is that it may have been the dam-breaking event that makes widespread work from home the new standard.

However, the pandemic has also accelerated the gap between major cybersecurity frameworks such as ISO 27001 and the NIST Cybersecurity Framework and the reality of most modern organizations, even those that have not become 100% virtual. This has been happening for years, but as the gaps between the security standards we have to follow and the actual security challenges on the ground widen, the framework needs to become more agile or risk becoming costly standards. complies with, but has little or no effect on actual safety.

For example, risk assessments are a large part of these regimes and often serve as a starting point for adapting your organization’s security efforts to the risks the company faces. A large part of NIST’s and ISO’s recommended risk assessments focus on physical threats to locations. For example, an entire section of NIST – the physical and environmental protection (PE) controls, with 23 items – is dedicated to this area. This made sense since everyone worked in a company office. But with many companies using distributed workforce, localized disasters now have a much less potential impact on a company’s operations. Major disasters such as pandemics, which were once considered off-the-shelf cases that required minimal remediation and control, have proven to be much more effective and likely than we previously thought. New versions of the security framework need to recognize this, possibly by having different risk assessment tools for companies with largely remote workforces.

Alternative treatment sites are covered by the safety framework. But for many cloud-native companies, this simply means a different region or zone of a cloud provider or even an alternative cloud provider. These arrangements are far more flexible, powerful, and cost-effective than real physical hot sites have ever been, and they can be configured with a few clicks of the mouse. Even companies that still own physical data center infrastructure often use the cloud as their backup. The days of massive, business-owned alternative sites are waning, and security frameworks and rules should be updated to recognize that.

What is important for modern security frameworks?

  • Software-as-a-Service (SaaS) infrastructure
    SaaS software and infrastructure can represent 70% to 80% or more of a company’s IT these days. Between Microsoft 365, Google Workspace, Salesforce, AWS / Azure and even software development tools, most of the companies’ digital crown jewels can exist in someone else’s infrastructure. Current frameworks either do not even mention SaaS or just collect it with all third-party access. NIST finally released a Cloud Computing update in 2018 (SP 500-322), but it was already obsolete when it came out. Different approaches and controls are needed for this type of infrastructure; encryption is often built-in, but it may require special backup services or custom settings in the SaaS setup. The built-in security features and tools are often impressive, but offer limited customization. Frameworks need to adapt to this and update their guidance for these widespread platforms.
  • Better endpoint protection
    Most frameworks are happy if you have some form of anti-malware loaded on endpoints and do disk-level encryption (not everyone even requires it). But endpoint protection is the endgame and always has been. Most breaches come from mistakes or intentional actions at one endpoint. A good first step is to better protect them with more sophisticated software that is not signature-based but rather behavior-based. Data loss prevention (DLP) and more comprehensive inbound / outbound filtering and monitoring could also be highlighted more.
  • Remote control, wireless access
    Security frameworks must recognize that for many organizations, most endpoints will be remote and / or wireless. Right now, NIST has only one line on remote access (AC-17) and only one on wireless access (AC-18). These areas need to be expanded, because in the future, most access will come externally and over the air instead of being the edge it was considered before. Even in physical offices, local area network access is often wireless to make it more flexible.

To make matters worse, most of these great security frameworks take years or even decades to update. The bureaucratic committees, public comment periods and audits take a lot of time. In the case of laws and regulations, more stakeholders can chew rapid changes in public policy. Policies need to become more agile, as must the organizations they regulate. Until they do, companies will continue to have to jump through unnecessary compliance frameworks that do not improve actual security, while achieving a slight improvement in their security position from these important and often necessary security frameworks.


Please enter your comment!
Please enter your name here