By Doug Barbin, Chief Growth Officer, Managing Principal at Schellman
The constant and rapid evolution of technology means organizations and governments alike need to prioritize cybersecurity. While providing so many new opportunities, emerging tech like artificial intelligence and cloud computing are also opening new doors for attack. In March 2023, President Biden announced a new National Cybersecurity Strategy to further prioritize cybersecurity in the wake of several high-profile attacks on U.S. organizations and infrastructure. But how will these new policies really impact both the public and private sectors?
What is the National Cyber Security Strategy?
First, it’s important to understand what the strategy actually entails. The National Cybersecurity Strategy was introduced to “allocate roles, responsibilities and resources in cyberspace” to further adapt to the more complex and dynamic threat landscape. This new strategy plans to expand minimum cybersecurity requirements for critical sectors and to be more aggressive in preventing cyberattacks before they can occur. As part of this, the administration also stated that it plans to work with Congress on legislation that would put liability on software makers/vendors who fail to meet cybersecurity requirements.
The plan approaches the goal of reimagining cyberspace as a tool to achieve our goals and reflect our value with two key tactics:
- Rebalancing the responsibility for defending cyberspace and shifting those duties from individuals and small businesses into the hands of larger corporations and governments who are better equipped to handle the task.
- Emphasizing and incentivizing long-term investments in security. Short-term solutions and quick fixes do not address the scale that cybersecurity threats have reached, and both private and public institutions need to plan and adjust accordingly to prioritize security today and tomorrow. These long-term investments also improve the resiliency of tech infrastructure.
The new strategy consists of five pillars, detailed below, that focus on how to incorporate and expand upon existing initiatives, while also introducing new efforts to advance the United States towards a more secure future. These pillars of the legislation highlight cooperation and collaboration between entities with the goal of better incident management, streamlining costs and minimizing the burden of compliance.
- Defend Critical Infrastructure
- The White House established that a crucial part of their strategy is building confidence in the availability and resilience of infrastructure and defending and modernizing federal networks.
- Disrupt and Dismantle Threat Actors
- This pillar leverages the employment of national power, engagement with the private sector and use of a comprehensive federal approach to disable malicious actors. It also ties in anti-money laundering (AML) and cybersecurity, as well as the threat vectors of cryptocurrency exchanges and the like.
- Shape Market Forces to Drive Security and Resilience
- This pillar places responsibility on those within our digital ecosystem that are best positioned to reduce risk. It pushes liability for flawed software onto the software makers and leverages federal spending to make security a “market requirement” for doing business.
- Invest in a Resilient Future
- The government is investing in the latest technology to be used for the safe harboring of information. This pillar’s investment in a resilient future speaks to what we’re seeing in terms of the importance of the “Digital Identity Ecosystem.”
- Forge International Partnerships to Pursue Shared Goals
- The final pillar highlights international partnerships and notes the importance of a secure supply chain. The White House will be hands-on in enforcing regulations addressing irresponsible behavior in cyberspace.
What Should Businesses Do Now?
Be proactive. As we await the implementation plan for the strategy, companies should not wait to review and commence cybersecurity processes. These new regulations are prompting many companies to reflect now on what they can and need to do to prepare.
To start, businesses should assess current cybersecurity measures and identify vulnerabilities. This can be done internally, or with the help of a third-party provider. Investing in compliance can offer a great relief of outside validation that everything is as it should be, or an expert eye at catching any holes or weaknesses.
After vulnerabilities have been identified, it’s time to take action to address them. Actions can include implementing new security protocols, updating existing systems/software and organizing training for employees that will help them understand and avoid potential security threats. Cybersecurity is everyone’s problem and everyone’s responsibility. Employees need to be educated on what kind of attacks exist and what to do when they see something suspicious. Access control is also an important tool in security, because the human element often plays the largest role in a data breach. Tactics like segmenting networks, allowing only authorized apps and managing authorization can prevent human error from leading to an attack.
After these actions are taken and corrections are made, it’s important to establish ongoing monitoring and maintenance processes to ensure cybersecurity stays up to par and new vulnerabilities don’t emerge. These processes can include vulnerability scans, penetration testing or other ongoing assessments that identify and address security risks. Cybersecurity is not a one and done. If opting to work with a third-party assessment provider, as suggested above, look for one that offers ongoing support and prioritizes an open channel of communication between business and auditor. Vulnerabilities don’t pop up once a year at a pre-determined time, so constant and consistent monitoring is crucial. Enhanced monitoring can also serve as an early warning indicator, and those extra moments to identify, isolate and respond to a threat is critical.
It’s not enough to simply implement new tech like multi-factor authentication or encryption. A culture of cybersecurity must be fostered organizationally, through assigning clear roles and responsibilities and providing regular trainings and awareness programs. Consider partnerships with other organizations, such as government agencies and industry groups, that can also enhance cybersecurity through information sharing, incident response and collaborative defense initiatives.
While government regulations evolve, now is the time for businesses to prioritize cybersecurity to protect their data, their customers and employees. Aside from any mandates, cybersecurity should be a front of mind concern for businesses of all sizes, both public and private. Emerging tech has changed the business landscape, and security processes and mentality around them needs to evolve accordingly.
Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. He has developed many of Schellman’s service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor’s degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.