Page 34 - Cyber Defense eMagazine February 2024
P. 34
disclose material cybersecurity incidents within four days of determining materiality. Additionally, the
Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative will allow cases of fraud related to
organizational misrepresentation of cybersecurity capabilities to be pursued. The DOJ has already taken
action against a number of organizations, such as a recent settlement with Verizon that resulted in a $4
million fine.
So, how does a CISO ensure that the organization is continually meeting compliance obligations and
using due care with respect to cybersecurity strategy, controls, and outcomes? A key capability to
consider is the implementation of a system of record. A system of record establishes an authoritative
source of truth about the organization’s cybersecurity program that helps leadership understand the
cybersecurity posture of the organization, align cybersecurity investments with strategic objectives, and
meet regulatory obligations. A system of record may include the results of security and risk assessments,
metrics related to security controls, status of planned and in-progress improvement activities, and an
understanding of the potential impact of threats.
CMMC requires defense contractors to provide an annual affirmation that the organization is maintaining
compliance with the security requirements. A system of record will provide a CISO and other senior
officials with the necessary support and justification to affirm compliance in good faith. Additionally, a
system of record can help the organization justify that cybersecurity decisions were made based on sound
rationale and best available information. This can be particularly useful post-breach if the organization
needs to answer to regulators, the government, customers, and other stakeholders.
Access to advanced attack techniques, even by less sophisticated threat actors, is driving increased
scrutiny of cybersecurity measures. It is paramount that organizations carefully review their cybersecurity
capabilities—regardless of maturity level—and evaluate if they will be durable when tested. Beyond
adopting new security requirements, organizations should place the development of a performance
management program high on their list of program improvements. Establishing and monitoring metrics is
critical to ensure security controls are performing adequately, to protect the organization, and to validate
compliance with regulations, like CMMC. Coupled with a system of record, organizations can more
effectively prove that they have not only achieved and maintained compliance, but have done so with
appropriate due care. Compliance without cybersecurity performance monitoring and improvement is a
poor organizational investment.
About the Authors
Richard Caralli is a senior cybersecurity advisor at Axio with
significant executive-level experience in developing and leading
cybersecurity and information technology organizations in
academia, government, and industry. Caralli has 17 years of
leadership experience in internal audit, cybersecurity, and IT in the
natural gas industry, retiring in 2020 as the Senior Director –
Cybersecurity at EQT/Equitrans. Previously, Caralli was the Technical Director of the Risk and Resilience
program at Carnegie Mellon's Software Engineering Institute CERT Program, where he was the lead
researcher and author of the CERT Resilience Management Model (CERT-RMM), providing a foundation
Cyber Defense eMagazine – February 2024 Edition 34
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
