Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Why Organizations Aren’t Using Cybersecurity Frameworks
You are here: Home \ Control Assessment \ Why Organizations Aren’t Using Cybersecurity Frameworks
Why Organizations Aren't Using Cybersecurity Frameworks
Posted on Thursday, December 14th, 2017 by

Companies Face Numerous Obstacles in Deploying Cybersecurity Frameworks

 

Security experts and pundits strongly advocate for adoption of leading cybersecurity frameworks, yet many companies are not heeding their advice.

These frameworks include:

 

Related post: NIST, CIS/SANS 20, ISO 27001 – Simplifying Security Control Assessments

 

Organizations are either opting not to use these frameworks or are encountering major implementation problems when they try to use them.

Astonishingly, 95 percent of organizations said they face significant challenges in trying to implement cybersecurity frameworks, according to a survey of 319 IT security decision makers by Dimensional Research on behalf of CIS and Tenable Network Security.

Respondents identified a number of obstacles to cybersecurity framework implementation, including lack of trained staff (57 percent), inadequate budget (39 percent), lack of prioritization (24 percent), and insufficient management support.

 

Cybersecurity Framework Obstacles

Let’s take a closer look at these obstacles:

  1. Lack of trained staff

Worldwide, there is a huge shortage in skilled cybersecurity professionals. According to a survey of 775 IT pros in by Vanson Bourne on behalf of Intel Security and the Center for Strategic and International Studies (CSIS), 82 percent of respondents admitted to a shortage of cybersecurity skills at their company, with 71 percent of respondents citing this shortage as responsible for direct and measurable damage.

The IT pros surveyed estimated that 15 percent of cybersecurity positions in their company will go unfilled by 2020. This is a problem across the board, not just for companies struggling to implement security frameworks.

James Lewis, senior vice president and director of the Strategic Technologies Program at CSIS, observed that a “shortage of people with cybersecurity skills results in direct damage to companies…This is a global problem.”

 

  1. Lack of budget

Security budgets across the board are lagging behind the security challenges faced by companies. The average IT security budget for enterprises worldwide declined from $25.5 million in 2016 to $13.7 million this year, according to a survey of 5,000 businesses worldwide by Kaspersky Lab and B2B International. This despite the growing costs of data breaches.

Obviously, with IT security spending contracting, there is a lot less to go toward implementing cybersecurity frameworks. What is left goes to protecting critical data and putting out fires.

New call-to-action

  1. Lack of prioritization and management support

With shrinking budgets, upper management is less likely to prioritize investment in complicated security frameworks. A SANS survey of organizations implementing the CIS Critical Security Controls (CSCs) framework found that only one-quarter of security managers received support for adopting security controls from their chief executive officer, chief operating officer, and business units.

“It is important for tactical managers to take steps to introduce CEOs, COOs, and boards of directors to the CSCs as a means through which to identify and defend their organization’s assets,” said James Tarala, SANS analyst and author of the survey report.

 

 

Stopping Attacks with CIS Critical Security Controls

Despite these obstacles, company should implement a cybersecurity framework, such as the CIS Critical Security Controls, which provide specific and actionable ways to stop pervasive and dangerous attacks.

The CIS controls are based on common attack patterns identified in threat reports and vetted across a broad community of government and industry practitioners. They were created by security experts from the National Security Agency, Department of Energy, law enforcement organizations, and top forensics and incident response organizations, explained the SANS Institute.

Based on analysis of new attack vectors, the controls are updated so they can stop or mitigate those attacks. The controls transform threat data into guidance to improve individual and collective security in cyberspace.

 

The top 20 CIS controls are:

  1. Inventory of authorized and unauthorized devices,
  2. Inventory of authorized and unauthorized software,
  3. Secure configurations for hardware and software,
  4. Continuous vulnerability assessment and remediation,
  5. Controlled use of administrative privileges,
  6. Maintenance, monitoring, and analysis of audit logs,
  7. Email and web browser protections,
  8. Malware defenses,
  9. Limitation and control of network ports,
  10. Data recovery capability,
  11. Secure configurations for network devices,
  12. Boundary defense,
  13. Data protection,
  14. Controlled access based on the need to know,
  15. Wireless access control,
  16. Account monitoring and control,
  17. Security skills assessment and appropriate training to fill gaps,
  18. Application software security,
  19. Incident response and management,
  20. Penetration tests and red team exercises.

 

CIS controlsSource: ArkAngel Platform 

Monitoring Asset Risk Using CIS Top 20 Controls

We, at Hitachi Systems Security, can help you understand if your business systems or assets are at risk using the CIS top 20 controls. We can monitor and provide real-time assessments of your assets.

Our ArkAngel platform provides you with a security score of your systems against the CIS top 20 controls. It also gives you a risk score and vulnerabilities associated with your systems, as well as historical data about system vulnerabilities and trends in at-a-glance graphical format.

ArkAngel 5.9 includes a Governance Module, the governance, risk management, and compliance component, and a Vulnerability Management Dashboard, the tactical component.

 

  • The Governance Module provides data on system valuation, risk value, confidentiality, integrity, and availability scores, and controls associated with system and threat vectors. It then provides a total system risk score.

Governance Module

Source: Governance Module Overview (ArkAngel Platform)

 

The Governance Module focuses on your asset properties and the vulnerabilities that are discovered continuously. It helps you understand what your current security posture is, how it can evolve, and how you can lower your risk in line with your business objectives.

 

  • The Vulnerability Management Dashboard provides real-time analytics of the vulnerabilities scanned in your environment. It reports on vulnerabilities detected in the network and extracts risk-related indicators as well as security incidents created by our analysts.

 

Vulnerability Management Dashboard

Source: Vulnerability Management Dashboard (ArkAngel Platform)

 

Our dashboard lists the top vulnerabilities that would expose you to the highest risks and helps you prioritize vulnerability fixes to avoid ransomware attacks and data breaches. The dashboard runs monthly reports based on statistics and indicators generated by scanners and compares trends over time, and we give you the flexibility of creating customized reports.

Reports vary from executive-level to detailed technical reports, providing your organization with different perspectives relevant to your users. Our security posture and trend analysis reports provide you with a view of your network’s security evolution over time.

We maintain an up-to-date database that includes thousands of known vulnerabilities. Through our customer portal, you can see the threat levels in your network and learn how to fix them. For more advanced threat levels, our team of security experts can provide threat remediation assistance.

IT asset dashboard

Source: IT Asset Dashboard (ArkAngel Platform)

 

Both components have visualization components and reporting capabilities that help you prioritize which vulnerabilities to patch first. In addition, the reporting enables your security teams to provide updates to upper management and the board of directors about current risk levels, mitigation efforts, and strategic goal setting.

The ArkAngel 5.9 platform turns security from a reactive process of scanning, assessing, and implementing patches to a proactive risk management process of applying critical patches to high-value systems efficiently and effectively.

 

Security experts agree that adopting and implementing a comprehensive security framework is a certain method to optimizing your risk management strategy and identifying your strengths and weaknesses in an organized, prioritized manner. As we’ve suggested, in many respects the key to success goes beyond implementation to gap analysis, measurement and continuous improvement.

In order to get a sense of how this best practice would work in your own organizations please reach out to one of our certified security consultants for a one to one consultation.

Robert Bond
About author:
Robert Bond is the Director of Marketing at Hitachi Systems Security. Robert is responsible for the education of prospective customers as well as the satisfaction and engagement of current customers. Robert has been in the information technology, security and digital forensic industries for over 15 years. He has a Bachelors degree from the University of Maryland and an MBA in marketing from Indiana University.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now