By Shrey Fadia, Analyst and Consultant, Artin Arts
By November 30, 2020, certain U.S. Department of Defense (DoD) prime contractors and subcontractors will need to complete a cybersecurity self-assessment prior to receiving new DoD contracts and prior to the exercise of new options under existing DoD contracts. Additionally, DoD contractors will need to ensure that any subcontractors that receive Controlled Unclassified Information (CUI) have also completed the cybersecurity self-assessment.
The DoD has permitted contractors to self-attest to their compliance with a range of cybersecurity controls but recently became concerned that the current cybersecurity compliance approach does not ensure sufficient protection and fails to provide DoD with sufficient insight into the cybersecurity posture of companies within their base.
This is just one example among many large organizations and enterprises putting in place stricter Security Scores through risk assessments designed to address increasingly sophisticated and broad-based threats.
Heading into 2021, IT teams are preparing plans and budgets, and their business cases for greater investment in securing networks, data, and other assets are increasingly based on their IT Security Score.
Many companies, including Security Scorecard, RFPIO, Loopio, Nessus, LogicGate, Risk Cloud, AlienVault USM (from AT&T Cybersecurity), SAI360, OneTrust, and HighBond, have methodologies and technologies enabling enterprises to assess how secure their systems and assets truly are.
As IT professionals, including CISOs, regroup after a devastating year– due to the global pandemic and a weakening economy – here are three steps Orhan Yildirim, CTO of Ironsphere, recommends to further enforce the need to ensure networks, data, and applications are fully protected. Ironsphere, based in the U.S. but serving global clients, including several large, global banks, offers Privileged Access Management security solutions.
“Prior to COVID-19, organizations were already working with third-party suppliers, but they were not ready to handle the surge in as-a-service solutions, as they had to accelerate their plans for digital transformation to comply with Work from Home mandates,” said Yildirim. Engaging with a company that understands how to assess vendors’ security – and prospective vendors’ security – can get the IT team up the learning curve quickly. This is a new world with a new set of challenges, and those challenges will continue into 2021.”
“The second step, after completing a security score process, is to put in place continuous cybersecurity monitoring to help prevent costly breaches,” Yildirim said. “At least once a year, and likely in concert with preparing strategies and budgets, a security scorecard is essential. Given the uncertainties and ongoing growth in threats, while organizations are more vulnerable than ever, a monthly review is recommended – and thus should be as automated as possible.”
Yildirim said an important third step is to become proficient in security reporting.
“To be efficient and effective, CISOs and their teams must create a common language and reporting framework to communicate risk to executives, including board members who are legally obligated to protect the standing and assets of their organizations,” he explained. “By utilizing reliable data and KPIs, CISOs can demonstrate the value of cybersecurity initiatives, including investments in Privileged Access Management, so only those individuals who should have access do have access.”
Taking a risk-based approach that prioritizes internal and third-party security issues and addresses a cloud-based world, in addition to protecting against external threats, allows CISOs to support business functionality while demonstrating cost savings. In a COVID-19 world, organizations and government agencies must find the right balance between cost savings and high-quality cybersecurity platforms.
About the author: Shrey Fadia is an engineer, analyst, consultant and writer covering the most disruptive fields in technology today including AI, IoT, Blockchain, Cybersecurity, Communications Platforms as a Service and more, with a special interest in innovations that improve lives. While working towards his Master of Science degree in Electrical and Computer Engineering from State University of New York (SUNY) at Binghamton, NY, Fadia has published numerous articles on advances in software-based solutions in several industry publications.
While working towards his undergraduate degree in engineering in India, Fadia and a team of other students developed a Smart Wheelchair leveraging sensors and affordable features including retrofitting existing equipment to make mobility possible using gesture mechanisms and obstacle avoidance. Their innovation was featured at an IoT Evolution World Expo in 2017. Fadia is currently a Graduate Teaching Assistant at State University of New York (SUNY) at Binghamton, NY while consulting for companies as a Senior Analyst for strategic tech communications firm Artin Arts, based in NYC.