Basic but Powerful – CISA’S Cybersecurity Performance Goals

Back to Basics

Smaller critical infrastructure organizations have long struggled to strengthen their cybersecurity due to a lack of financial and technical resources. Fortunately, improving cybersecurity in the critical infrastructure sector does not have to be a complex, costly, and time-consuming endeavor—regardless of expertise. Getting the basics right first can be both an effective and demonstrable win. It’s no surprise CISA’s new initiative, Cross-Sector Cybersecurity Performance Goals (CPG), emphasizes the basics. The document is limited in scope, and its plain language is easy to understand. CPG recommendations are designed to accelerate cybersecurity improvement, particularly for smaller companies, whose importance cannot be ignored, as they provide essential goods and services for a significant number of US citizens. Recent cyber-attack trends point to an increased interest in targeting critical infrastructure—manufacturing, energy, and healthcare as easy ransomware victims. Some real-world cyber events included shutting down meat processing, gas delivery, and hospital services. We recently surveyed over 100 critical infrastructure organizations using Axio’s ransomware preparedness assessment, and the stats are alarming. Many of these critical infrastructure organizations are not practicing basic cyber hygiene:

Only 30% of surveyed organizations have plans for responding to a ransomware crisis

Only 24% of organizations report the practice of patching systems within a day—a scary figure considering the continued digitization of the modern company

Download the complete 2022 State of Ransomware Preparedness Report.

A Living Process

One can think of CISA’s cybersecurity goals as a fast-track assessment for smaller organizations that may not know where to start. We’ve done similar endeavors in the Axio360 platform, taking the world’s most popular cybersecurity framework, NIST CSF, and creating a quick launch feature for faster insights. Getting started is key, but you are not done once you perform an assessment. For an assessment to provide value, you need to treat it as a living and breathing organism that evolves over time as you interact with it. This is what makes Axio360 so powerful—it’s designed for rapid collaboration geared towards measurable improvement.

We are glad CISA’s goals will continue to be updated every 6-12 months. This creates the right mentality, a first important step for small critical infrastructure organizations to take care of the basics on a regular basis.

At the least, organizations conduct an annual assessment to satisfy auditors, but these assessments rarely give organizations visibility and confidence to stay ahead of threats.

It’s important to remember that these CPG goals need to be realized, and security leaders need to show accountability by aligning them to action—this includes building a roadmap and tracking progress over time.

Axio’s senior solution engineer, Dan Ritch, discusses why building a cybersecurity roadmap requires continuous scrutiny.

Springboard for Quantification

The CPG guidelines include information about the cost and complexity of each recommendation as well. This is particularly important in today’s economic climate where, cybersecurity budgets are being more closely scrutinized, and security leaders no longer have a blank check—regardless of how important they feel implementing a new cybersecurity control initiative is. Today one needs to defend their cybersecurity decisions. By using a cyber risk quantification methodology, you can compare potential cybersecurity investments with their subsequent risk reduction. The recommendations in the CPG essentially serve as a springboard to brainstorm and quantify a cyber scenario (that can take advantage of not having these specific controls in place) and see how much risk you reduce if you implement them.

Implementing CISA’s goals ultimately needs to be communicated in business language—not bits and bytes. We often see how C-suite and cyber executives don’t understand each other. The best way to close this communication gap is to demonstrate how implementing cybersecurity recommendations affect financial impact. Assessments are excellent tools to close control gaps in technology and process. But you need to think about how important these gaps are to be addressed in the first place. 40% of information risk decisions are made outside of IT, making it essential to shine light into the “why” this needs to be done. Critical infrastructure organizations need to identify mission-central parts of the business and how cyber –events can affect them. Quantification allows you to do this, in a structured and collaborative way. You can review the individual elements driving the cost of cyber risk. This granular approach enables cybersecurity leaders to justify each value to their CEOs and boards—and ultimately get the budget necessary to address the basics of CISA’s performance goals.

We applaud CISA’s release of its cybersecurity performance goals and checklist. We look forward to seeing how the documents evolve over time and feel it’s a very powerful initiative for collaboration and awareness in the critical infrastructure sector. Over time, we look forward to supporting this initiative and are eager to see how sector-specific goals take shape as CISA meets with industry leaders.

If you are interested in learning how you can take care of cybersecurity basics in one tool that allows both assessment and quantification, we’d love to show you a tour of Axio360 and how we’ve been supporting critical infrastructure cybersecurity improvement through both assessing their cybersecurity maturity and quantifying scenarios of concern to justify cybersecurity budget, eliminate communication barriers, streamline organizational processes and most importantly – proactively plan cyber defense.