Last Wednesday marked a significant milestone as the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its eagerly awaited draft rules on cybersecurity incident reporting. The aim: give the federal government a better understanding of breaches impacting critical sectors, including healthcare, manufacturing, energy, financial services, transportation, and water utilities.
Enacted in 2022, the law underpinning these regulations seeks to improve the government's capacity to monitor incidents and ransomware payments effectively. Homeland Security Secretary Alejandro Mayorkas emphasized that the data gathered will let CISA and other relevant agencies enhance their incident response strategies and pinpoint vulnerabilities within the nation’s critical infrastructure.
At its core, the proposed rules mandate organizations to report significant cyber incidents within 72 hours, and ransom payments within 24 hours — a tight timeframe that has many in the cybersecurity community concerned.
Treading on shaky ground
Cybersecurity professionals, already grappling with over 36 reporting requirements across federal and state levels, find themselves at a crossroads with these new federal directives.
Albeit well-meaning, these guidelines threaten to put organizations in operational chaos, complicating the already intricate dance of early cyberattack assessment. Many in the cybersecurity industry are calling the proposed rules costly and duplicative, which will ultimately burden an already-overwhelmed security workforce. Not only that, but there’s the fear that detailed disclosure of any given incident could give bad actors information they could use to pursue an exploit.
Despite challenges, including an increased administrative workload, this represents the first comprehensive effort by the federal government to standardize cybersecurity regulations across all critical infrastructure sectors, from healthcare to financial services.
The draft rules aim to provide a clearer framework for cyber incident and ransom payment reporting. CISA’s approach to treating reports confidentially and publishing anonymized statistics could mitigate concerns over information sharing.
So the crux of the matter is not whether these regulations are necessary—they unequivocally are—but how can we implement them in a way that respects the practical realities of those on the cybersecurity frontlines. The success of these regulations hinges not just on their content, but on their execution and the flexibility they offer businesses to adapt without undue burden.
But, at the end of the day, there are factors that we can’t control, so CISOs will need to think of ways to make any new requirement into a mechanism for greater efficiencies around security governance processes, metrics, and workflows. Here are several pointers:
- Transform security governance processes: CISOs can use new requirements as an opportunity to enhance efficiency in security governance processes, metrics, and workflows.
- Update the security incident response playbook: Given the new demands for faster and more detailed disclosures, CISOs should revise their security response playbooks, possibly increasing the frequency of log analysis, enhancing observability, and automating reporting processes.
- Update compliance and risk management practices: CISOs need to adjust compliance and risk practices to align with CISA (and SEC) rules, considering more frequent compliance exercises and exercising caution in internal communications to manage legal risks.
- Instrument playbooks and processes for compliance verification: Investing in systems to programmatically collect, categorize, and report on security response and compliance processes enables objective verification of compliance, allowing for better understanding of team behavior and identifying areas for improvement.
- Optimize the existing security stack: Implement process capture to understand and improve security workflows. Teams should also deploy new security process metrics, such as mean-time-to-triage and playbook-compliance-percentage to enhance the security stack's effectiveness.
- Make security governance transparent and efficient: Leverage automation and transparency in security and compliance processes. This will let CISOs monitor and observe coordination and cooperation effectively, leading to improved security while reducing costs and risks.
- Establish clear executive roles and responsibilities: CISOs and security teams need to collaborate and communicate with other business stakeholders, including the CEO, CFO, Chief Counsel, as well as corporate communications teams and departments. It’s important to define these roles, and then create a plan for how they work together to assess and make decisions about incidents. Test the plan regularly to ensure alignment, engagement, and accountability.
The intentions are good
As CISA opens the floor for comments from the industry, it presents a golden opportunity for stakeholders to engage in a constructive dialogue. We’re at a perfect moment to shape policies that strive for the highest security standards, and also recognize the operational constraints and realities faced by organizations.
A collaborative approach between the public and private sectors can pave the way for a cybersecurity framework that’s both robust and pragmatic. We’ll also need to balance the demands of the proposed rules with operational practicality.
We have a complex journey ahead, but through collaborative effort and constructive dialogue, we can navigate the tightrope of compliance and operational realism to ensure security and compliance.
John Morello, co-founder and CTO, Gutsy
