The gold standard of cybersecurity best practices in the USA comes from The Cybersecurity and Infrastructure Security Agency (CISA). Within CISA is the Cybersecurity Advisory Committee (CSAC) which is comprised of 22 of the nation’s leading experts on cybersecurity, technology, risk management, privacy, and resilience, and includes a Chair and Vice Chair. CSAC is currently drafting an overhaul of the nation’s cybersecurity structure.
A final report with recommendations is expected to be issued later this year, but CSAC recently released a draft report offering some guidance for businesses. The draft report gives MSPs a good roadmap of where cybersecurity best practices will lean toward in the years ahead.
With these and other efforts, CISA is formulating a path forward for all organizations, from the corner pet grooming store to the sprawling industrial complex, to follow best cybersecurity practices.
“The first step to reducing our shared vulnerability is to have everyone on board,” says Tom Heaton, a cybersecurity analyst in Oklahoma City who follows CISA’s recommendations. “One weak link in one giant chain can bring the whole chain down.”
Here is a run-down of some of the cybersecurity areas the final CISA report will address:
Transforming the Cyber Workforce
“CISA is struggling from the same problem everyone else is – lack of available talent,” Heaton states.
The draft report notes that “CISA needs to prioritize its strategic workforce development; dramatically improve its talent acquisition process to be more competitive with the private sector; radically expand recruitment efforts to identify candidates across their professional lifecycle; and leverage talent identification and hiring success through interagency collaboration.”
Heaton added that the report also recommended creating a new position in CISA, a Chief People Officer.
“That tells you right there what they are up against,” Heaton points out. “It’s tough out there now, so they want someone to oversee the curation of talent.”
Heaton says CISA’s subcommittee is developing ways to “execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources to implement essential security practices.”
Heaton advises that the final report will have more granular detail. “It sounds like CISA is going to put more resources out there so that the small businesses, MSPs, and other stakeholders will have more resources at their disposal, which is great and, frankly, long overdue,” he says.
Heaton also believes a strong cyber hygiene program from CISA could level the playing field and allow smaller businesses to get their cybersecurity up to par with larger organizations.
“Again, that is important because it doesn’t do a lot of good if only a few organizations are doing what they are supposed to,” Heaton adds. “Everyone needs to be on board.”
Among CISA’s plans is the launch of a “311” national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.
“This will be so simple and provide an all-under-one-roof place for even the smallest businesses to report a cyber incident, this will allow for earlier reporting and, perhaps, stopping a problem before it spreads,” Heaton says.
The subcommittee also recommends that CISA enhance its current multi-factor authentication (MFA) campaign by adding additional vehicles for publicizing its “More Than A Password” campaign. Such publicity includes reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community to underscore the importance of MFA.
Lastly, they recommend that CISA takes all available steps to ensure that companies are working with the Federal Government fully adopt MFA by 2025. “You would think right now that MFA would be second nature, but not everyone does it, believe it or not,” Heaton says. “But CISA has made it their mission to change that, and that would make a huge difference.”
One of the elements of the plan is for CISA to develop incentives and access to information to aid security researchers. Researchers will submit vulnerabilities that impact critical systems. Investments will also be made in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors; and improve the notification processes after a disclosure has been verified and acted on.
The subcommittee also recommended that CISA simplify the reporting process and provide feedback to those reporting vulnerabilities. “Part of the problem now is that reporting is so unwieldy and information so decentralized, this element of CISA’s plans would go a long way to addressing the problem,” suggests Heaton.
CISA is determining how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. This involves scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners.
“Schools hold fire drills, the military holds war games, we do need to be doing more cybersecurity simulations, so this is a step in the right direction,” Heaton emphasizes.
CISA is trying to use its platform to help build a national culture of cyber resilience. Such culture-building includes expanding the “More Than a Password” MFA campaign to also include a corporate partnership program with Fortune 500 companies.
“If you can get the large companies onboard to fully embrace MFA, then the smaller ones will come aboard, so this is a great idea,” Heaton advises.
Photo: Korawat photo shoot / Shutterstock