During the past few months, I have been hosting monthly virtual sessions (Coffee Chats) dedicated to timely security issues and getting a pulse on the current security landscape. Our NIST Coffee Chat was specifically focused on the NIST Framework (2.0), drawing on information from the most recent RSA Conference. To watch the session, click here.
Last month, I attended the RSA Conference and, right from the start, I knew this conference was going to be different. There were attendees from various companies with a wide array of titles and responsibilities, but they all had one thing in common; to learn, share and collaborate on ideas, processes, and technologies. This year’s theme was “Stronger Together”, and that mentality was clearly felt from the second I walked into the conference.
The first session that caught my eye was “Phishing with a Net: The NIST Phish Scale and Cybersecurity Awareness.” The program touted, “Most phishing training programs have probably experienced an inexplicable variety of click rates. But considering click rates as the sole metric for a phishing awareness program’s effectiveness is like fishing without a net.” It was led by two computer scientists from NIST, Shanee Dawkins, PH.D. and Jody Jacobs, M.S.
Typically, many phishing programs are a one size fits all solution. Most will just give you failure output with no context, which often creates anxiety among the user base. Now, however, NIST researchers have put together the NIST Phish Scale 1A metric that incorporates the human element; contextualizing click rates with two components, Email Cues and Premise Alignment, and equating them to a Detection Difficulty Rating System.
Common email cues, such as misspellings, using personal email instead of work email, and generic greetings, are known ways to spot a phishing email. When you add the Premise Alignment, which has workplace relevance, you have a better way to train the user in their element. Couple this with the Detection Difficulty Rating system, and you can now educate users with job-related phishing tests. These include different detection difficulty ratings for different job families, enabling you to test against the degree to which you are being targeted the most. I will discuss more on the NIST Phish Scale in my upcoming webinar.
Another session I attended focused on the Data Security Maturity Model (DSMM). While this may be new to some, it is essential to understand the premise behind it. DSMM is a working group that includes many security practitioners, led by Sounil Yu, with the goal of publishing the industry’s first framework designed to help organizations evaluate and improve their data security practices. It provides a structured approach for assessing an organization’s current data security capabilities and defining a roadmap for achieving higher maturity levels, identifying gaps, prioritizing investments, and establishing a data security strategy.
The critical components of the DSMM include the following:
- Governance: DSMM emphasizes the importance of establishing a robust data security governance structure within an organization. This includes defining roles and responsibilities, establishing policies and procedures, and ensuring compliance with relevant regulations.
- Risk Management: This involves identifying and assessing data security risks, implementing risk mitigation measures, and regularly monitoring and reviewing the effectiveness of these measures.
- Data Classification and Protection: This defines how an organization sets up a program to classify its data based on its sensitivity and criticality, enabling the implementation of appropriate security controls and safeguards, such as encryption, access controls, and data loss prevention mechanisms.
- Incident Response and Recovery: An essential aspect of data security maturity, DSMM promotes the development of an incident response plan, including predefined procedures for handling security breaches, communicating with stakeholders, and restoring normal operations.
- Security Awareness and Training: DSMM recognizes the importance of creating a security-conscious culture within an organization, emphasizing the need for regular awareness training programs to educate employees about data security best practices, potential threats, and their responsibilities in Incident Review/Lessons Learned.
With these key areas, DSMM also defines the levels of maturity, ranging from reactive to proactive with benchmarks against the current data security capabilities and future state requirements. Implementing the DSMM can be a significant differentiator in today’s competitive business landscape. Click here to take a deeper dive into DSMM.
OBSERVATIONS FROM THE EXPO FLOOR
The RSA Conferences’ theme continued onto the expo floor where there was a mix of vendors, government agencies, nonprofit cybersecurity groups, and several county pavilions, all communicating the “Stronger Together” mantra.
I was not only impressed by how many vendors showed their ability to offer more context into the visibility of an environment, but also by the mental shift in the industry of working with partners and competitors to achieve one goal: stopping bad actors. I always advise clients on the importance of visibility; The more visibility we have in our organizations, the better the decisions can be made on Threat Detection and Response, Asset Inventory Management, Vulnerability Assessments, compliance obligations, Incident Response, and more.
In the security space, we are seeing more technologies that are becoming platforms, including Cisco XDR, Sentinel One, and Arctic Wolf. This platform approach gives users the ability to view the information we care about quickly and reduce our mean time to response (MTTR). The faster we can respond, the less chance a catastrophic event has to interrupt our business. In many cases, this forms the foundation for a robust cybersecurity program and helps organizations stay one step ahead of potential threats.
The platform approach also allows the easy exchange of information from relevant sources, such as industry-specific threat intelligence feeds, vulnerability databases, and security event data providers. As cybersecurity practitioners, we should also consider joining a Threat Intelligence Sharing Program, which incorporates the joining of private and public entities to better prepare for cybersecurity events. While many vendors have a different approach to integrations, all of them share the same goal of ensuring the enterprise has the full context of the environment with the tools they are providing.
I wrapped up the conference by spending time with old friends, and colleagues, and attending vendor meetings to ensure I have the latest pulse on the industry and what matters most to our customers. As I took the plane ride home, I couldn’t help but think about how our industry is changing at such a fast pace. We are constantly relied on to ensure we have the best security postures with whatever budget we have and are expected to dynamically shift to protect our ever-growing attack surface. It is crucial for cybersecurity professionals to work together, share ideas, and keep each other informed of new attack methods.
We must get it right every day, the bad guys only need to get it right once. That’s why we are much stronger together.