Last week, PinnacleOne examined the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.
This week, we consider what the Office of National Cyber Director’s Annual Report means to modern enterprises.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Contact us directly with any comments or questions: [email protected]
The Office of the National Cyber Director (ONCD) released its inaugural report on the cybersecurity posture of the U.S. last week. The report detailed a contested, complex, and interconnected environment for the U.S. government to navigate. Underlining the greatest hits of last year, like the Volt Typhoon disclosures and multiple takedowns of criminal hacking groups, the report detailed the offensive steps the government took to impact malicious actors. But, most of the content is focused on what the government can do to improve defensive conditions in the U.S. To that end, we have adapted some of the report’s themes for modern enterprise defenders to consider.
Who are you hiring? The U.S. is a leader in cybersecurity education and talent training. Governments around the world, including China, copied early U.S. efforts to educate a generation of defenders and hackers. The highly-respected National Security Agency, along with many other federal government partners, certified some universities as Centers of Academic Excellence. Their graduates are sure to make excellent hires for corporate cybersecurity teams.
The people hired to run your cybersecurity shop are the most important thing you will spend your budget on. Your team designs the business processes, deploys the tools, conducts hunts, remediates incidents, and protects the bottom-line. But, good talent costs money and cybersecurity teams are frequently hamstrung by the payscale HR sets.
Consider what the U.S. government has done: exempting cybersecurity talent from government pay scales and allowing experts to grow in place. This HR system is two-fold. First, cybersecurity jobs are on a different pay scale than other government jobs to attract qualified candidates. Second, defenders are allowed to grow their compensation in place. Mature teams need experts, and experts need to remain in their domain of expertise to provide value to the organization. Too often, pay increases are only accessible to people as they move up the corporate management ladder. To stop this loss of talent, some government agencies will advance technical experts up the pay scale consistent with the highest-levels of management pay, just to keep that person in place and not incentivize them to pursue management.
Use your money wisely and demand more from your suppliers. The U.S. government is moving to use its purchasing power to drive cybersecurity requirements. As a massive purchaser, it is nearly impossible for companies to match the influence of the U.S. government. That said, if industry associations move in concert to require specific features or design protocols to purchase goods, and these requirements are clearly articulated with timelines for implementation, they may well have the intended impact. Coordinating with partners through your industry’s ISAC is a good place to start.
Who can provide you visibility into the things you need to know about the systems you rely on? How does that provider gain information about particular threat actors, their interests, and how do they communicate it to you?
Cyber threat intelligence is often consumed by cybersecurity teams not mature enough to use it. These teams accept whatever cut-rate intelligence they can afford without thought to the provider’s visibility, value to defenders, and timeliness of intelligence. When they do receive an intelligence report, it is often marveled at, categorized, and then forgotten.
Mature teams digest intelligence differently. They understand the frequency at which tools are scanning, collecting, and disseminating. They understand the threat landscape well enough to know which threat actors matter most to them, including when to action intelligence with a threat hunt in their environment and when to ignore it.
The 2024 Annual Report from the Office of the National Cyber Director emphasizes the importance of accurate and timely intelligence distribution to defenders. What is in your hands, is whether the intelligence that reaches your team can be of use.
Companies cannot control the threat environment in which they operate. The reams of technology deployed across corporate enterprises today are almost entirely out of the control of their consumers. But, there are important levers corporate leadership can pull to improve network security: talent, procurement, and intelligence.
Talent is the base of cybersecurity. Top-notch defenders should work in concert with IT teams to determine procurement decisions of tools, hardware, and software in the environment. Finally, those same teams will be mature enough to find good intelligence from providers with the visibility required to provide impactful analysis. The U.S. government may be far different from modern enterprise, but the ONCD’s recent report gives the C-suite much to chew on.