The cybersecurity standards of tomorrow
Over the years, the list of cybersecurity standards has grown steadily amidst pervasive digitisation and a rapidly evolving threat environment.
Organisations now prioritise compliance with these guidelines as a matter of course. But how are standards evolving, and how should CISOs keep key stakeholders including their Board up to date?
“Cybersecurity standards are like a recipe with a list of steps to implement. With them, organisations could meet business operational, compliance, and audit requirements,” said Frankie Shuai, the former Country Head of Cyber & Technology Risk at UBS.
The role of cybersecurity standards
“Cybersecurity standards are the glue that allows us to piece cybersecurity risk management pieces together and deliver end-to-end risk-based best practice,” said Shuai.
These standards are based on industry best practices reached by consensus amongst technical experts, and adherence to them has now become a minimum requirement for doing business, says Charmaine Ng, the Director of Asia Pacific Digital Policy at Schneider Electric.
“At a security level, when connected devices are not secure, attackers are presented with numerous entry points from which to launch an attack, steal data, disrupt lives, and in some cases, put lives at risk,” she explained.
Trust comes into play, too, due to growing customer expectations.
Ng said: “At a business level, with customers increasingly demanding cybersecurity and adherence to cybersecurity standards such as ISO/IEC 27001, SOC 2, ISO/IEC 62443, non-adherence to industry best practices puts manufacturers at risk of losing customer trust.”
Standards are evolving
Ng observed that growing cybersecurity risks have prompted governments to proactively manage cybersecurity risks as part of their national strategy. The result is a growing number of jurisdictional-specific standards which are typically inspired by international standards but amended in some ways.
While there are probably good reasons for regulators to include local nuances in their national standards, these jurisdictional-specific standards may inadvertently leave out important cybersecurity controls, cautioned Ng.
Moreover, it also increases compliance burdens for manufacturers whose global products must adhere to a multitude of jurisdictional-specific standards. This can potentially increase costs for customers, she notes.
New developments in technology could result in new standards. One of the hottest topics right now would undoubtedly be generative AI. Unsurprisingly, various new regulations around AI are already rolled out or being ratified.
On that front, Shuai ticked off some of the top ones such as the National Institute of Standards and Technology (NIST) AI Risk Management Framework, the European Union AI Act, and the Cyberspace Administration of China (CAC) Interim Measures for the Management of Generative AI.
This sounds like a lot to take in – must a CISO be familiar with all of them? When asked about cybersecurity standards in general, Shuai gave a tongue-in-cheek response: “As a CISO, we must know some of them, if not all of them. But it cannot be none of them.
While there is no doubt that CISOs already have their hands full complying with multiple standards as well as deciphering new ones, they must not neglect regular communication with internal stakeholders.
Ng puts it this way: “It must be a top priority to help the Board understand cyber risks and our risk management strategies. We need to remember that the Board is always scrutinising what the company is doing to mitigate these risks and how we can be more resilient.”
She suggests that the CISO articulate cybersecurity to the Board using language that it understands, and by aligning the conversation with business priorities and sectoral challenges.
Shuai agrees that language is important. He suggests using “common language” to ensure that everyone knows what to do.
Using the stock market as an anecdote, he noted how a price increase in Singapore, the US, and Europe stock markets is denoted in green and a drop in red. However, the reverse is true in China and Japan, where red is used to denote a price increase.
“The same colour might have different or even the opposite meaning; this could happen in cybersecurity. Use a common language to make sure everyone is on the same page and for effective communication within the team and across the business,” he said.
Finally, a CISO walking into a meeting with the Board must be able to answer the following three questions, says Shuai: “Are we secure, are we compliant, and are we overrunning our budget.”
Cybersecurity is ultimately a balancing of risk, time, and resources, says Shuai. While it is possible to establish additional layers of defences, checks, and controls to secure a system, it should be at the agreed-upon cost, he says.
Building an environment of trust
The exacting details outlined in cybersecurity standards are no guarantee that things will go according to plan. The unpalatable truth is that humans do make mistakes. Instructions might not be followed to the letter or crucial steps might be missed when implementing a cybersecurity standard.
“A culture of blame that focuses on human mistakes is not sustainable for growth.” – Frankie Shuai, Former Country Head of Cyber & Technology Risk, UBS
“No matter how large or small a change that you are implementing, always have a backup plan. The plan should be quick to put into action, and take factors such as people, cost, time, communication, and crisis management into consideration,” said Shuai.
It is also important to learn from mistakes. “We should have a culture that allows for mistakes. Then quickly learn from the mistake and move to the next step. A culture of blame that focuses on human mistakes is not sustainable for growth.”
Shuai advised new CISOs to take things easy. “Do not apply all the security controls in the security standards blindly to every system or every dataset you are monitoring.”
“From a technical and economic perspective, this is not possible. Prioritise on the critical areas you need and focus on it,” he summed up.