​A Boost for Cyber Resilience

NIST updates its cybersecurity framework as organizations report mixed results in stopping threats.

Comments Views

​Large organizations faced twice as many cyberattacks on average last year, an Accenture study notes. Despite their best efforts to ward off ransomware, distributed denial-of-service, and other attacks, organizations experienced an average of 30 breaches, according to the 2018 State of Cyber Resilience study.

Clearly, organizations need help. They need a framework.

Last month, the U.S. National Institute of Standards and Technology (NIST) updated its Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1 (PDF) clarifies and enhances the framework, which has been adopted by governments and businesses worldwide. Matt Barrett, program manager for the framework, says the revision "applies to a wide range of technology environments, such as information technology, industrial control systems, and the Internet of Things."

What's New

One addition to the framework is a section on "Self-assessing Cybersecurity Risk With the Framework" aimed at helping organizations understand and measure cybersecurity risk. The section advises that assessing the effectiveness of cybersecurity investments starts with understanding organizational objectives, how they relate to cybersecurity outcomes, and how those outcomes are implemented and managed.

This section recommends organizations take care in how they apply metrics, and be able to explain how the measures contribute to the organization's cyber risk management. Moreover, it warns against relying "on artificial indicators of current state and progress in improving cybersecurity risk management."

The revision also expands how the framework can be used to manage cyber risk in the supply chain. Some recent cyberattacks have targeted large organizations by going through their business partners.

Additionally, cyber supply chain risk is now included in the framework's implementation tiers and the Framework Core now includes a supply chain risk management category. Moreover, a new section on buying decisions discusses how to use the framework to address risk associated with purchasing off-the-shelf products and services.

Other revisions to the framework include updates on user authentication and identity, and vulnerability disclosures. The framework's terms also have been clarified.

NIST plans to release a companion to the framework, the Roadmap for Improving Critical Infrastructure Cybersecurity, later this year. That document will cover areas such as development, alignment, and collaboration, which Barrett calls "essential to the framework's success."

Faster Responses

As the Accenture report findings indicate, the need to strengthen cyber risk management is greater than ever. Still, there are some positive signs.

The organizations in the study prevented 87 percent of all focused attacks, up from 70 percent in the 2017 report. Accenture defines a focused attack as one with the potential to penetrate network defenses to cause damage or extract high-value assets.

"Only one in eight focused cyberattacks are getting through, versus one in three last year," says Kelly Bissell, managing director at Accenture Security. Accenture surveyed 4,600 enterprise security professionals from large companies in 15 countries.

Organizations are also finding security breaches faster. Nearly 90 percent say they detected breaches within one month, compared to 32 percent last year. Most (55 percent) found them within one week.

There's some bad news, as well: Organizations' information security teams are only finding about two-thirds of security breaches. The remainder they are finding with help from white-hat hackers, peers, and other business and government sources.

Many respondents say the emergence of new technology tools, including cyber threat analytics, security monitoring, and artificial intelligence, may help them battle threats. "For business leaders who continue to invest in and embrace new technologies," Bissell says, "reaching a sustainable level of cyber resilience could become a reality for many organizations in the next two to three years."

Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>https://iaonline.theiia.org/authors/Pages/Tim-McCollum.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3



Stopwatch Auditinghttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Stopwatch-Auditing.aspxStopwatch Auditing
Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Hidden Goalshttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspxHidden Goals
Building a Better Auditor: Which Way Should I Go?https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspxBuilding a Better Auditor: Which Way Should I Go?