ISMG Editors: Will Others Follow US Lead to Legislate SBOMs?Also: Complying with PCI DSS 4.0 and Managing Security Budget Cuts Anna Delaney (annamadeline) • September 30, 2022
In the latest weekly update, three editors at Information Security Media Group discuss important cybersecurity and privacy issues, including an analysis of how organizations can comply with the new PCI DSS 4.0 requirements, whether other countries should follow the U.S. lead on legislating software bills of materials, and key strategies for CISOs preparing for an economic downturn.
The panelists - Anna Delaney, director of productions; Suparna Goswami, associate editor, ISMG Asia; and Tony Morbin, executive news editor, EU - discuss:
- Highlights from an interview with Ferdinand Delos Santos and Rokon Zaman of Verizon on how organizations can navigate new regulatory requirements in the payments space;
- Whether other countries should follow the United States' lead in SBOM legislation, given questions about readiness and opposition from some U.S. federal agencies on mandating compliance;
- Takeaways from an interview with CSO George Finney of Southern Methodist University on how security leaders can build cyber maturity on low budgets.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 16 edition discussing the increasing use of intermittent or partial encryption by ransomware gangs and the Sept. 23 edition on the industrywide implications of a teenager hacking into Uber's internal systems.
Anna Delaney: Hello, I'm Anna Delaney and this is the ISMG Editors' Panel, where members of the editorial team convene to review some of the most interesting cybersecurity issues of the moment. It's a cozy trio this week. I am delighted to be joined by Suparna Goswami, associate editor for ISMG Asia, and Tony Morgan, executive news editor for the EU. Great to see you both.
Suparna Goswami: Always a pleasure.
Delaney: Tony, tell us where are you zooming in from today?
Tony Morbin: I'm out in space, but really a way of getting a kind of a globalization type-theme. So, that's my excuse.
Delaney: Yeah, very good. Space is always relevant in cybersecurity. Suparna, tell us more.
Goswami: Yes, the background is of a 9-day festival in India, which began earlier this week. So lots of celebration across the states, different states celebrated in a different manner. What you see in the background is a dance form famous during this time of the year called Dandiya. So there is dancing, lots of food, grand celebrations across most of the states in India, and this is called the Navratri, called nine days.
Delaney: You do your festivals very well. That must be said. I am in Brussels this week. I want a city break to Belgium. While I was just going through pre-pandemic photos, I came across in the city this fun jazz club. So I thought it was quite Edward Hopper-esque at the time. Bringing some jazz to the panel this week, Suparna, you conducted a very informative interview recently with two members of Verizon on PCI DSS 4.0: How to Comply With New Security Requirements. It'll be great if you could start us off with a bit of background on the standard and what changes these new requirements introduce for the payment space.
Goswami: Sure, Anna, thank you. So, as you mentioned, I did talk to a couple of speakers on Verizon's latest Payment Security Report. It's 10th edition. And the report analyzes the changes that is brought about by the latest PCI DSS version PCI DSS 4.0. And what it means to company so the version was introduced earlier this year. And report analyzes what the changes are and how companies must comply with that. So the goal of PCI DSS for essentially - I did go through the report and it was essentially four goals: you ensure standards continue to meet security requirement, they have added a lot of flexibility. And this is something that I have found throughout the report - the term flexibility - and promote security as a continuous process and enhance validation methods. So the earlier versions of PCI DSS were prescriptive in nature and told, and they actually described what you need to do with tighter controls. Now for such controls, for such tighter controls, an enterprise can take a customized approach. And this is mainly to give organizations the flexibility to try different methods to support security. And like the previous version, this version too puts a lot of emphasis on continuous monitoring. Continuous monitoring has always been a requirement of PCI DSS, but the new version places more emphasis on it. So the people I spoke with, the experts, and I'm quoting them here. They said the whole bottom line is that you cannot do the minimum, you have to make compliance an ongoing activity instead of being just one off. And just following a standard is not enough to implement controls. They said the new version says it is essential to measure and report control effectiveness of tools. Now again, by tools, you not really mean only technology tools, but the entire process, including having a proper structure and governance in place. And other speakers mentioned that enterprises need to define a maintenance process to address sustainability of controls. And this must be part of business, your business as usual program. Since cybersecurity is not a siloed process. One needs to ensure that it is implemented properly and it matches organizations' management goals. And this is one of the primary reasons that PCI DSS version has moved away from being prescriptive, as I mentioned before, so that enterprises can match security management goals with that of business and they have that flexibility. I'll play a part of the recording. I think that's very relevant. And probably we can talk more about it.
Ferdinand Delos Santos: Organizations should continue to evolve. You have to meet compliance as an ongoing activity instead of being one off. So I can imagine top of my head. First you have to ensure that your scope is very well maintained. And of course, you'd have to expand your programs in the ongoing changes of your environment. Of course, you have to upgrade for business processing point of view and everything. The shape of organization changes your culture and your people as well. And secondly, you have to implement a process for performing a business impact analysis on an ongoing basis and measure and take into consideration, if there are business decisions or strategies that has to be in consideration of that. Rokon, would you want to add more on those recommendations here?
Rokon Zaman: Yeah. I like few other examples. For example, security awareness, it cannot be a once-a-year activity. The security awareness and education, it should be an ongoing activity like emerging threats in the environment. Because nowadays, we have a new threat or a new vulnerability. So it should be on an ongoing basis. Effectiveness or performance of security controls should be measured and inputted to ensure security activities are being performed on an ongoing basis, implementing a continuous improvement process to ensure issues are collected and controls are measured accurately. So that feedback needs to go on to the process and it should be an ongoing management and improvement process built in.
Goswami: What I understood as the general feedback of CISOs has been there are too many standards out there and it becomes a mammoth task for them to follow all the standards. And hence, the major theme of the new requirement is having a customized approach. And you will see these two words: customized approach being repeated throughout the document of this version. So aside from this, the current version has also emphasized on some of the technical requirements like anti-phishing solution, it was never mentioned in the previous version, it has now become a requirement. Web Application Firewall - earlier, it was an optional solution. But now it is a mandatory solution. So yes, this is these are some of the changes, and it becomes mandatory from April 2024.
Delaney: Okay, so I think also they discuss key strategies for implementing this new standard across organizations. And I think you can share with us in that respect.
Goswami: So the key strategy, according to them, has been to get into the process early first and involve the business. Because this, as he said that cybersecurity is not a siloed thing. So you need to involve the business and assign the tools matching your business goals. So if you're facing problems with phishing, you can't just be happy with some solution and say, "Okay, I've complied" and not have an anti-phishing tool. Similarly, if you're having problems with your identity, you can't be just happy with anti-phishing tools, saying that, "Okay, I've complied," and not really having a tool adhering to the problem. So they say map your tools with the problems that you face.
Delaney: Okay good. And I think they also discussed education and a mindset shift.
Goswami: Of course, and you will see it across, hear it across. I think every CISO says the technology can only play a certain role, but it's people who actually go out and implement the technology. So people education is very important. And this is something that they have put a lot of emphasis on. I'm sure CISOs would agree as well. And in your conversation with CISOs, you too would have heard like how much education plays an important role. And it is not only about that, he said, one off education like you do once in a year, it has to be a continuous thing and you need to come up with innovative methods to make it more interesting because in case you say, "Okay, there is a session," people do not really understand the importance of it till you make people get involved, make it more practical, make them involved in certain things, rather than just being it theoretical in nature.
Delaney: Or continuous being the word in many respects for this. Well, that's very informative. Thank you so much, Suparna. Tony, it's interesting times for the SBOM. What's the latest?
Morbin: Coincidentally, I'm also looking at the aspects of standards and standardization of standards. So, obviously, many of the most devastating cyber attacks have been the result of compromised software from a supplier, whether that's from the 10 billion in commercial assets and losses due to NotPetya, which was first delivered via accounting software to deep infection of highly sensitive networks by SolarWinds. Of course, more recently, we've had the ubiquitous Log4j. It was described by many as a wake-up call for the industry. Well, that was more like a bucket of cold water over our head after we've consistently ignored the alarm clock urgently ringing. But that widespread vulnerability did see software supply chains leap up the risk register. In the U.S., the Biden Executive Order resulted in legislation for a software bill of materials for federal software purchases. Now, not everyone has actually located all their instances of Log4j even now, and more shockingly, still downloads of vulnerable Log4j exceed the updated version. But as one participant at the recent ISMG Roundtable noted, at least now we've identified all of our critical systems. Now we just have to find Log4j elsewhere. It was way back in 2014 that the U.S. Cyber Supply Chain Management and Transparency Act was proposed for government agencies to require SBOMs for any new product that they purchase. It didn't pass at the time, but it did inform last year's May Presidential Executive Order, calling on NIST to issue guidelines for creating an SBOM. Now, those providing software to the U.S. federal government need to provide SBOMs that detail the components used, the changes made between versions, and this includes information about libraries, add-ons, custom source code utilized by an application. In addition to the NIST guidelines, there's the NTIA (National Telecommunications and Information Administration) standard, ENISA in Europe, BSI in Germany NCSC in the U.K., and others have also issued guidelines on creating SBOMs. It remains to be seen if these will actually translate into standards or regulations. Though in the U.K., there's planned government procurement rules in the public sector for 2023. And they followed consultation on security of digital supply chains and third-party IT, so that may well end up producing an SBOM. But standard SBOMs don't include some aspects of cybersecurity and compliance like API, calls passwords, control flow, PII, cryptography, hardware, various things. And there's been some kickback against calls by some U.S. government departments to mandate SBOMs right now. The Alliance for Digital Innovation, BSA Software Alliance, Cybersecurity Coalition and the Information Technology Industry Council say that some of the new legislation leapfrogs ongoing administrative efforts to mandate an SBOM and to establish a proper standardized SBOM. In the U.S., Ross Nodurft, executive director of the Alliance for Digital Innovation said the process of producing and implementing the inventory lists of software components is not mature enough to be codified into law at this time. He is urging the White House to continue its work in developing and standardizing SBOMs for federal agencies before the practice is mandated into law by any of the departments. Now, to my mind, cybersecurity has become like aviation, or the law of the sea or space, which is my tenuous link to my background. We don't want different national standards or regulations, we want one interoperable standard that we can all comply with. For the benefit of us all, we need a global standard that we can adhere to. Now, okay, for speed of implementation, that may mean that we initially do draw up national standards. But the aim surely must be to reduce the number of standards as early as possible. So that's my plea there.
Delaney: Yeah, that's interesting. Interesting about the kickback actually. Do we know the extent of organizational SBOM readiness in the U.S.?
Morbin: No, and there is some slight get out clause as well, in that if people are actually showing that they're working toward implementing it, that they will be able to get around some of these government departments, which are actually mandating an SBOM. So it's mandated, but there are, as I say, sort of get out clauses. But I think the principle remains that there are multiple standards and the plea is for there to be one standard.
Delaney: So, as this progresses, what will you be observing closely?
Morbin: Well, people are facing various difficulties actually implementing an SBOM. It's not easy, it's going to need, in most cases, it's going to need automation, because you've just got so many elements of software across a large enterprise, it could be thousands. And you might not even know, when you've got open source used within your suppliers, proprietary software. And they might not even know what they've used. And people have got legacy systems that the people who created it are long gone. So it's not an easy thing to do. Automation is the solution. But you want to be automating, as I say, toward a global standard at the moment. Obviously, in the U.S., they need to get themselves one standard within the country. ENISA in Europe may play a coordinating role with the European countries. And I would imagine, like GDPR, a big group, establishing an effective standard could become the de facto standard.
Goswami: And I was reading somewhere or not reading, in fact, I was speaking to one of the CISOs. And he said that SBOM, while it is not a solution to the security problem, is a great enabler to help solve some of the problems.
Morbin: Yes, it's not. Nothing's a silver bullet. This isn't the total solution. Because the adversaries particularly, whether it be state or criminal, because they're both at the virtually the same level now, sophistication. You wouldn't have probably found SolarWinds with an SBOM, but you certainly would have been able to fix Log4j a lot quicker if you'd had NIST knowing where it was within your portfolio and within your state.
Delaney: Yeah. Well, very useful takeaways. Tony, thank you very much. Well, I thought I'd share, as a final story, something that I'm working on. A feature for CISOs who are facing budget cuts, and how they can run a security program on a limited budget. And, as part of this, I had the great pleasure of interviewing a very experienced CISO, George Finney, he's the CSO actually of Southern Methodist University in the U.S. And I was asking him about strategies he can recommend for preparing for, and dealing with, an economic downturn and ways to build cyber maturity on low budgets. So here's what he had to say.
George Finney: I think that bringing costs down, even if you've got a great tool that you believe in, multi-year agreements are a great way of most vendors will knock 10 or 20% off just because you signed a three-year deal. That's really huge. If you need to stretch your dollar, if you can reduce costs in that way, versus having to reduce staff, for example, I think that's a huge win. If you can consolidate vendors. There are a lot of products out there, there's a lot of overlap. You might have two different products and 80% of what they do are the same. It's a hard thing to do, especially when you've got team members who are trained in those products or who really like one or the other. I think sometimes you've got to make hard decisions. If you are at a deficit in terms of budget for staffing, partner with other teams in IT, and do security training. So one of the things we did is we help pay for people outside of the security team to go out and get cybersecurity certifications. They feel great about it, because it's something that they'll take with them through the rest of their career. But we're also building security bench depth, I guess, or better security knowledge across the organization. Again, we're maturing the organization, we're supporting our individuals, but maybe we're also supplementing cybersecurity staff with those individuals, kind of deputizing them, if you will, so that we're not having to add extra headcount. Again, I think, lots of different creative ways to do that.
Delaney: So some helpful insights I thought was interesting about the tooling recommendations, and as I said, this is part of an upcoming wider report, but it's an interesting topic. I mean, I know, we all read a recent report from the Bank of America on highlights from Black Hat this year, and it seemed to, conversely, indicate no shortage of spending in the industry. So it depends on the size of the organization. Suparna, I know you've hosted a number of summits recently. Are CISOs worried about the same issue?
Goswami: Yes, of course, and aside from that, I was also speaking with the fraud practitioners a bit and they said that whenever there is an economic downturn or news of economic downturn, it automatically means that fraud increases, because people will invariably - some people will lose their job or people have that fear. So invariably, there are budget cuts, even adversaries know about that and fraud tends to increase and past statistics have shown that even during the pandemic, it was not an economic downturn, but we saw how much fraud had took place in terms of unemployment fraud, or PPP loan fraud in the U.S. So, any such news means that adversaries are on the alerts that yes, companies will tend to cut back on the budgets. And that gives them an opportunity to probably attack the companies even more. So there's a whole report that shows how fraud increases as soon as there's any news of economic downturn or recession.
Delaney: You're absolutely right. Criminals are watching closely, as are we. So finally, sometimes, on the Editors' Panel, I ask about hot topics of the week, but I thought it'd be interesting to explore the longer view, we're in the last quarter, can you believe, of 2022? So what topics, stories, technologies trends, will you be observing closely as we close this year? I'm curious to know, Tony, what are you looking at?
Morbin: In the background, there's always going to be the Ukraine war that's going on. And it seems to have flared up a bit on the cyber side with hybrid warfare and both a rise in cyber attacks targeting the energy sector, as well as coordinating that with kinetic attacks. And there's also been the Ukrainian hacking army has also said that it has upped its activity as well. But I guess the other big enterprise story that is continuing is the whole insurance market, because cyber insurance, we've seen rises in premiums, because there's been so many attacks and so much to pay out. There's been restrictions on what's actually covered, whether or not nation-state attacks are going to be covered or not, and what counts as a nation-state attack, then some companies are even finding it hard to get insurance. So the insurance companies are wanting very much to almost have a techno-graph in the cab, they want to actually see what you're doing and see what your insurance, what your security policies and activities are, to be able to price their premium accordingly. So some people actually voting with their feet, if they're big enough, and self-insuring by putting money aside to cover things rather than getting insurance. But I actually don't personally see that as, ultimately, the way to go. I think they will be coming back to cyber insurance. And that long term, it's a really good thing, because it's the private market actually setting the standard for what is good cybersecurity, because at the moment $100 million company, if it spends 1 million or 10 million on cybersecurity, which one is overspending and which one is under spending, or is either, whereas the insurance companies, once they have the actual data, will be able to say, this is what good security looks like. So, I don't think we're there yet. I think that's definitely something that we're going to see, really get into the nitty gritty this year, because of the pressures that we've just had. Suparna and yourself mentioning in terms of budgets, , as people have less budget, they want to make sure that they're getting real value out of the money they spend. And similarly, the insurance companies can't afford to just take a hit, they have to really hone down on what are they actually covering, and what is the risk.
Delaney: Yeah, and it'd be interesting to see if others follow Lloyd's decision to cut cyber insurance. So watch this space. What are you looking at?
Goswami: So, zero trust is something I have been looking through the year and I love the way the conversation has changed from how it was last year. In the beginning, it was why zero trust is important, last year it was which approach of zero trust one should take, how should we go about it? And now it has gone very deep into, how do we do authorization around zero trust? Or how do we do continuous monitoring around zero trust, which is not an easy thing to do. So, I'm seeing the conversation changing from being very broad to very niche now. And the other topic that I would be very interested in probably covering or following is India's data protection bill, which the parliament is expected to launch any time. And I would love to see the changes that it has made. The new bill will have, compared to the previous one, and when exactly it will become a law. We have been delaying it for many years now. So I would love to see India really gearing up for a fast data protection law soon. But before that we need to pass the bill. So the bill should be out anytime. That's what we heard. So I will be closely following that space.
Delaney: Absolutely. I think the whole world is watching what will happen in that respect. So, thank you very much, Suparna and Tony. This has been a pleasure, as always.
Goswami: Thank you.
Morbin: Thank you.
Delaney: And thanks so much for watching. Until next time.