Cybersecurity frameworks are not enough to protect organizations from today’s threats

Check out the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by enhancing and scaling citizen developers. Watch now.

As cybersecurity incidents proliferate, critical infrastructure and global enterprises are increasingly targeted by financially motivated cybercriminal gangs and even nation-state threat actors. Today’s organizations face multiplying threats and increasing risks in an ever-evolving threat landscape.

Last year, new cryptojacking and ransomware programs increased 75% and 42%, respectively, while OT vulnerabilities increased 88%. Overall, businesses experienced an average of 270 attacks in 2021, 31% more than in 2020.

It’s clear that threats are growing at a rate never seen before, leaving security teams grappling with the seemingly endless challenges that these risks bring. To address the business risk that is now at the forefront of cybersecurity board conversations, companies in the public and private sectors have implemented cybersecurity frameworks such as NIST and MITRE ATT&CK.

Cybersecurity frameworks are designed to help businesses and governments better understand, manage, and reduce their cybersecurity risk. Currently, all 16 critical infrastructure sectors, including energy and manufacturing, use the NIST framework, while 80% of companies use MITER ATT&CK. A recent ThoughtLab study highlights that leading organizations often use more than one framework to meet global standards and improve cybersecurity outcomes.


smart security summit

Learn about the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.

Register now

While frameworks like NIST and MITRE ATT&CK provide a practical foundation for basic cybersecurity practice, organizations should view them as the beginning of their cybersecurity journey, not the final destination. To ensure they have an effective and comprehensive security program, companies need to further develop frameworks, moving beyond a “check the box” mentality to achieve a continuous state of security.

Disrupt the traditional reactive “scan and patch” approach

While frameworks like NIST and MITRE ATT&CK provide organizations with a starting point, these frameworks focus on reactive strategies that are no longer sufficient to keep up with the pace and volume of threats. For example, two of the five basic pillars of the NIST cybersecurity framework focus on detection and response tactics, which take place only after an attack. While the MITER ATT&CK framework is a guide for classifying and describing cyberattacks and intrusions, the guidance it provides is also tied to a response tactic for an attack.

The reactive strategies described in cybersecurity frameworks that focus on scanning and patching are not only time consuming and labor intensive; in many cases, they also do not convey the level of risk associated with a threat. This often results in valuable resources being wasted on false alarms.

While the cybersecurity frameworks are voluntary guidelines for private sector organizations, federal agencies and government contractors must comply with the NIST cybersecurity frameworks. This creates a strong focus for public sector organizations on achieving compliance rather than developing proactive strategies that will have a more significant impact.

Fight today’s cybersecurity threats proactively

The threat landscape has evolved dramatically, while cybersecurity practices have sadly lagged behind. Traditional approaches are no longer sufficient to withstand an expanding attack surface and growing threats, so what is the alternative? A recent study by ThoughLab sheds light on how a group of organizations are changing the narrative, ignoring the reactive models of the past and shifting cybersecurity to a process of precise and continuous exposure and threat management that can identify and reduce risks.

This proactive approach to cybersecurity involves regularly assessing risk probabilities and impacts, performing advanced scenario and quantitative analysis, incorporating cybersecurity into enterprise-wide risk management, and working with business leaders. business to proactively mitigate risks. A risk-based approach enables organizations to achieve greater cybersecurity proficiency by giving them the tools to identify, measure, prioritize, and manage the threats they face.

In the midst of today’s economic uncertainty, security leaders need a way to achieve timely risk reduction while ensuring they have tools capable of quantifying the economic impact of cybersecurity risks on the business. By quantifying risk through risk analysis, organizations can identify and prioritize threats and ultimately calculate the true ROI of their cybersecurity strategies.

Risk-based cybersecurity has been shown to reduce breaches

By taking a proactive approach to defending against critical threats, organizations can effectively focus remediation efforts on the vulnerabilities that expose them to cyberattacks. According to recent research, 48% of organizations with no breaches in 2021 took a risk-based approach to their security programs.

Coupled with cybersecurity frameworks, modern risk-based strategies enable organizations to create impactful modern cybersecurity programs that defend against today’s unpredictable threats, especially for security teams tasked with protecting complex environments.

Gidi Cohen is CEO and founder of Skybox Security.


Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read more from DataDecisionMakers

Leave a Comment