In today’s interconnected world, the cybersecurity landscape is evolving at an unprecedented pace. Two major perspectives have emerged in the discourse, with one focusing on organizational accountability for cybersecurity and the other shifting the responsibility from customers to manufacturers. These viewpoints are not mutually exclusive, but rather, they form a composite picture of the cybersecurity reality we face today.
Organizational Responsibility in Cybersecurity
Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), has championed the perspective of organizational responsibility in cybersecurity. Easterly emphasizes that enterprises must consider cybersecurity as a matter of good governance and daily operational practice. Rather than relying solely on Public Service Announcements (PSAs) or reactive measures, Easterly asserts that strong cyber defense should be embedded in all sectors, with organizational leadership holding accountability for their cybersecurity infrastructure.
Shifting the Burden – From Customers to Manufacturers
In recent times, there has been a significant push towards shifting the responsibility of cybersecurity from customers to manufacturers. This shift is reflected in the release of a new set of principles by a coalition of federal and international security agencies, which urges technology manufacturers to prioritize customer safety and incorporate built-in cybersecurity features in their products. This secure-by-design and secure-by-default approach aims to ensure that products are resilient against prevalent exploitation techniques, thereby reducing the cybersecurity burden on organizations.
The Role of Enterprises – The “Left of Bang” Perspective
However, this shift does not absolve enterprises of their responsibility in maintaining cybersecurity. The concept of “Left of Bang” – being proactive rather than reactive to threats – is a critical aspect of enterprise responsibility. Organizations must adopt and use protective measures not just in case of an actual breach, but in anticipation of potential threats.
Take for example communications. Many organizations have begun to adopt and plan for the use of out of band communications channels in case of an incident. But, moving “Left of Bang”, requires a transition from merely using these channels to communicate in response to incidents to securing day-to-day communications, particularly in Security Operations, DevSecOps, and Threat Intel Sharing.
Why is there such an emphasis on these areas? These fields of operation within an organization often contain highly valuable information that, if fallen into the wrong hands, could provide threat actors with the roadmap they need to perpetrate or continue their attacks. By understanding the potential risk within these pre-incident communications, organizations can mitigate the likelihood of these valuable details being exploited by threat actors.
The idea is not to wait for the “bang” – the security incident – but to take action to the left of it. The specifics of what makes these areas so critical and the types of valuable information they often contain is a topic that deserves its own dedicated treatment and will be explored further in a future discussion.
The Shared Responsibility Model – A Balance of Onus
In the grand scheme of things, cybersecurity follows a shared responsibility model where both manufacturers and organizations play pivotal roles. Not all products can offer the same levels of security while maintaining expected functionality and user experience. This necessitates a “Tier and Protect Strategy™️,” where different tiers of communication and data are given varying levels of protection based on their sensitivity and importance. This approach mirrors strategies long employed by government, defense, and intelligence agencies in dealing with classified and unclassified information. ArmorText enables the private sector to adopt this proven strategy for communications and collaboration, bringing the right levels of security where it’s needed most, without requiring all communications to move over to ArmorText unnecessarily.
Cybersecurity in today’s world is a multifaceted issue, with organizational accountability, manufacturer responsibility, and enterprise vigilance playing essential roles. By adopting a proactive stance and embracing the shared responsibility model, we can create a safer digital environment for organizations. It’s not just about avoiding the “bang” but moving left of it, working together to ensure our cyber infrastructure is robust and resilient. The exchange of ideas, principles, and strategies between the government and the private sector will ultimately benefit all, fostering a dynamic and collaborative cybersecurity landscape that continually evolves and improves.