The newly released National Cybersecurity Strategy Implementation Plan signifies an unprecedented step toward fortifying the United States’ critical infrastructure protection and bolstering national security. This ambitious effort, while necessary, presents us with a significant challenge: How do we accurately capture the current risk posture across all the enterprise environments comprising the 16 critical infrastructure sectors, which is an essential first step toward achieving enhanced security maturity?
Interestingly, we don’t need to reinvent the wheel. We already have robust models designed to measure and improve the security and risk posture of diverse environments at our disposal: security standards, frameworks, mandates, and operating directives. However, traditionally, these resources have been employed as lagging indicators, relegated to the function of historical reporting rather than proactive risk management. Inherited from the fields of accounting and financial audit, cybersecurity compliance has unfortunately maintained the same retrospective focus, ignoring the radically different nature of cyberspace and the need for cyber risk management practices to…
