Cybersecurity frameworks are not enough to protect organizations from today’s threats

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

As cybersecurity incidents proliferate, critical infrastructure and global enterprises are increasingly targeted by financially-motivated cybercriminal gangs and even nation-state threat actors. Today’s organizations are facing multiplying threats and increasing risks from a constantly-evolving threat landscape.

Last year, new cryptojacking and ransomware programs increased by 75% and 42%, respectively, all while OT vulnerabilities leaped 88%. Overall, companies experienced an average of 270 attacks in 2021, up 31% over 2020.

It’s clear that threats are growing at a never-before-seen rate, leaving security teams to grapple with the seemingly endless challenges these risks carry. To address the business risk that is now at the forefront of cybersecurity board conversations, companies across both the public and private sectors have implemented cybersecurity frameworks like NIST and MITRE ATT&CK.

Cybersecurity frameworks are designed to help businesses and governments better understand, manage and reduce their cybersecurity risk. Currently, all 16 critical infrastructure sectors, including energy and manufacturing, use the NIST framework, while 80% of enterprises use MITRE ATT&CK. A recent study by ThoughtLab highlights that leading organizations often use more than one framework to meet global standards and improve cybersecurity results.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

While frameworks like NIST and MITRE ATT&CK provide a practical foundation for basic cybersecurity practice, organizations should view them as the beginning of their cybersecurity journey, not the final destination. To ensure they have a well-rounded and effective security program, companies must further build on the frameworks, going beyond a “check the box” mentality to achieve a continuous state of security.

Disrupt the traditional reactive “scan and patch” approach

While frameworks like NIST and MITRE ATT&CK provide organizations with a starting point, these frameworks focus on reactive strategies that are no longer enough to keep up with the pace and volume of threats. For example, two of the five core pillars of the NIST cybersecurity framework focus on detect-and-respond tactics, which take place only after an attack. While the MITRE ATT&CK framework is a guideline for classifying and describing cyberattacks and intrusions, the guidance it provides is also tied to a response tactic for an attack.

Reactive strategies outlined in cybersecurity frameworks that focus on scanning and patching are not only slow and laborious; in many cases, they also fail to convey the level of risk associated with a threat. This often results in valuable resources being wasted on false alarms.

While cybersecurity frameworks are voluntary guidelines for private sector organizations, federal agencies and government contractors are required to comply with the NIST cybersecurity frameworks. This creates a strong focus for public sector organizations on achieving compliance instead of developing proactive strategies that will have a more significant impact. 

Battling today’s cybersecurity threats proactively

The threat landscape has evolved dramatically, while cybersecurity practices have unfortunately lagged behind. Traditional approaches are no longer enough to withstand an expanding attack surface and increasing threats, so what is the alternative? A recent ThoughLab study sheds light on how a group of organizations is flipping the narrative, disregarding the reactive models of the past and shifting cybersecurity into a process of precise, continuous exposure and threat management that can identify and reduce risks.

This proactive approach to cybersecurity involves regularly assessing risk probabilities and impacts, conducting advanced quantitative and scenario analysis, incorporating cybersecurity into enterprise-wide risk management, and working with business leaders to mitigate risks proactively. A risk-based approach allows organizations to achieve greater cybersecurity proficiency by giving them the tools to identify, measure, prioritize and manage the threats they face.

Amid today’s economic uncertainty, security leaders need a way to achieve timely risk reduction while ensuring they have tools capable of quantifying the economic impact of cybersecurity risks on the business. By quantifying risk through risk analyses, organizations can identify and prioritize threats and ultimately calculate their cybersecurity strategies’ true return on investment.

Risk-based cybersecurity is proven to reduce breaches

By taking a proactive approach to defending against critical threats, organizations can effectively focus remediation efforts on vulnerabilities that expose them to cyberattacks. According to recent research, 48% of organizations with no breaches in 2021 took a risk-based approach to their security programs.

Alongside cybersecurity frameworks, modern risk-based strategies allow organizations to build impactful, modern cybersecurity programs that defend against today’s unpredictable threats, especially for security teams tasked with protecting complex environments.

Gidi Cohen is CEO and founder of Skybox Security.

Originally appeared on: TheSpuzz