In response to the Biden administration publishing guidelines yesterday regarding how federal agencies and government contractors will comply with President Biden’s demand that federal systems and vendors meet common cybersecurity standards, Kev Breen, Director of Cyber Threat Research at Immersive Labs made the following comment.
MEMO: “Within 180 days of the date of this memorandum, agency CIOs, in coordination with agency requiring activities and agency CAOs, shall assess organizational training needs and develop training plans for the review and validation of full attestation documents and artifacts.”
Cybersecurity is an increasingly pressing area of concern for governments and businesses in the U.S. and worldwide. We believe that a people-centric approach is a key component of any successful cybersecurity initiative, including a greater focus on proving organization-wide cyber resilience. Traditional software approaches and outmoded one-off training sessions or certificates are not enough in today’s threat environment. Cybersecurity needs to be a team sport with organizations continually assessing, building, and proving cyber preparedness through real-world simulations.
MEMO: “If the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones (POA&M) to be developed.”
Application security (AppSec) vulnerabilities are increasing. Attackers consistently look for new ways to exploit applications, and even the smallest of vulnerabilities can lead to a full-blown data breach. Yet, executives’ focus on rapidly shipping new products to market means that cyber-security is not always the top priority, potentially exposing companies to millions in lost revenue and damaged brand reputations. To safeguard companies, application developer (AppDev) teams need to upskill their people, prepare for rapidly evolving vulnerabilities, and prove their readiness to confront them. Despite the marketing hype, AppSec software and classroom-based training exercises alone fail to meet the mark. While AppSec software can provide a first-line of defense, it can’t measure preparedness. Likewise, making teams take online cyber-security quizzes or get a one-time certificate is woefully inadequate for developing the skills necessary to thwart emerging threats. Today, a new people-centric approach to team learning and preparedness called Cyber Workforce Resilience is paving the way for better security. The future of AppSec will include sophisticated tools that simulate real-world threat situations, allow teams to practice effective security protocols without fear of breaking their code, and help enterprises benchmark capabilities across the entire SDLC. Cyber resilience for the organization will increasingly be expanded to the entire workforce. Savvy enterprises are already implementing such tools to protect their end-users, reputations, and revenues, while proving their preparedness to senior leadership teams and their Boards.