When we’re assessing how well national cybersecurity policies respond to current security threats, it’s important to keep one thing in mind: this is an incredibly complex task given the deck of cards governments are essentially forced to play with.
In short: they do the best they can with what they have. But policy moves slow, by design, and threats – especially AI-driven threats - move much faster. The match-up is asymmetric in nature and unfair by definition, but the right approach is to keep pressing forward.
And that’s what national cybersecurity policies are doing very well. But cyber defense is a team sport, and not even a star cyber athlete can do it alone. That’s why we’re looking at what private sector security vendors and non-policy frameworks can do to close the gap and win the game.
Pace of Policy vs. Speed of Threats
Policies designed at the national level take years to go into effect, and months even when they’re moving at a more rapid pace.
In the U.S., strides have been made towards zero trust implementation and better reporting. Thanks to trickle-down effects from Executive Orders like EO 14028, federal agencies are now required to adopt ZTA, implement least-privilege access and bolster identity verification. These are clear wins.
Besides this, key strategies and directives in the U.S. include:
- National Cybersecurity Strategy (2023).
- Presidential Policy Directive 21 (PPD-21).
- Presidential Directive 41 (PPD-41).
- Federal Cybersecurity Workforce Strategy (M-16-15).
In the UK and EU, counterparts include:
- National Cybersecurity Strategy 2022 (UK).
- Data Protection Act 2018 (DPA 2018) (UK).
- NIS2 (EU).
- DORA (EU).
- Cyber Resilience Act (EU)
Challenges of National Policies: Too Big, Too Broad?
The intent and content of these policies are strong. Implementation and applicability are where other team members need to step in.
When national cybersecurity policies roll out, they’re typically expansive. Even relatively faster-moving frameworks like we see from CISA and NIST can hit a SOC’s desk like a new security dictionary; NIST SP 800-53 is over 400 pages in length alone.
This is great for thoroughness, but not necessarily for implementation. In over seven years at Fortra, I have yet to speak with a company whose security team is not 100 percent utilized on keeping the ship running. I have yet to meet the organization with spare time on its hands, particularly 400-page amounts of spare time. And yet, these frameworks are gold from a security standpoint. So how can we best navigate forward?
Here are few possible workarounds:
- Policies come with phased implementation toolkits. Instead of attempting to take on the whole policy in one go – which tends to paralyze teams and get forgotten – supplemental resources come out that help teams take the hill in bite-sized chunks.
- Security providers and MSSPs step up. Not complying with national cybersecurity mandates is not an option, but most orgs (even big ones) can’t afford to devote the time or security resources to making wholescale overhauls.
- Companies can outsource the work of policy implementation to MSSPs and security providers that have shown experience and success in implementing government compliance standards. Then, once these private sector agencies have prioritized compliance adjustments, teams can pursue them at a systematic, measured pace.
- Note: Compliance isn’t an all or nothing process. Before you can be fully compliant, you need to be partially compliant. Most organizations live in this in-between, but the important thing is to be strategically compliant as you go. And this is where security vendors can help.
Drilling Down to Specifics
Another challenge national cybersecurity policies face is the necessary evil of being too broad. They are forced to give suggestions and mandates at a high level, but this fails to suit specific use cases – and every agency has its own unique profile. As a result, teams can struggle translating the broad into the specific that works for them.
Here’s a possible workaround: Policies come with a handful of playbooks and use cases. There can never be something custom fit to an individual architecture, but there are similarities that can be accounted for (small vs. mid-sized, mostly on-prem vs. mostly cloud). This kind of actualized, scenario-based guidance makes things more accessible, bringing it down to a practical level so teams can go from there.
As we look at these trends, we see that while all hands are on deck it’s still not enough. Threats evolve and move fast. National compliance policies are trying to keep up but stymied by their very nature. Teams need smaller, more accessible guidelines to bridge the gap, and help prioritize and implement fixes once they do.
This is why compliance is a team sport. Every member is important, but where the industry has a huge opportunity to move the needle is in creating the expectation that teams need compliance consultants partnering with them on the journey, not just more advice.
Skilled vendors that have worked extensively in the government cyber compliance space can provide a huge benefit here: auditing architectures to find compliance gaps, breaking down large policies into bite-sized chunks, and prioritizing wins so that the journey towards total cybersecurity compliance is undertaken thoughtfully and strategically.
As Chief Strategy Officer at global cybersecurity company Fortra, John drives the company’s transformation to a platform company and into one of the world’s leading cybersecurity providers.
