When will security frameworks catch up with the new cybersecurity normal?
Now that the system shock to IT systems and organizations from the pandemic (not to mention the horrible human toll) has started to ease up, we’re seeing the emergence of a whole new landscape for cybersecurity. Before last year, most organizations relied mostly on an in-person workforce in company-owned or leased buildings, with remote work reserved for contractors or traveling execs and salespeople.
Then along came a global pandemic that, among other things, made working face-to-face a real danger. Many companies had to switch their entire workforces over to working from home, literally overnight. As terrible as it was, one silver lining of the pandemic is that it may have been the dam-breaking event that makes widespread work-from-home the new standard.
However, the pandemic has also accelerated the disparity between large cybersecurity frameworks like ISO 27001 and the NIST Cybersecurity Framework and the reality of most modern organizations, even ones that haven’t gone 100% virtual. This has been happening for years, but as the gaps widen between the security standards we have to follow and the actual security challenges on the ground, the frameworks are going to have to become more agile or risk becoming standards that cost a lot of money to comply with but have little to no effect on actual security.
For example, risk assessments are a big part of these regimens and often serve as the starting point for aligning your organization’s security efforts to the risks facing the business. Much of NIST’s and ISO’s recommended risk assessments focus on physical threats to locations. For instance, an entire section of NIST — the Physical and Environmental Protection (PE) controls, with 23 items — is dedicated to this area.
This made sense when everyone worked in a company office. However, with many companies adopting distributed workforces, localized disasters now have a much smaller potential impact on a company’s operations. Larger disasters like pandemics, which were once thought to be outside edge cases that needed minimal remediation and controls, have been shown to be much more impactful and likely than we thought before. New versions of the security frameworks need to recognize this, possibly by having different risk-assessment tools for companies with largely remote workforces.
Alternate processing sites are covered in the security frameworks. But for many cloud-native companies, this simply means another region or zone of a cloud provider, or even an alternate cloud provider. These arrangements are far more flexible, powerful, and cost effective than true physical hot sites ever were, and they can be set up with a couple clicks of a mouse. Even companies that still own physical data center infrastructure often use the cloud as their backup. The days of massive, company-owned alternate sites are waning, and security frameworks and regulations should be updated to recognize that.
To read the complete article, visit Dark Reading.