The cybersecurity mandates are about to become very real, very fast
October 5, 2021
Are you ready?
For companies included in the 16 critical infrastructure industries, the Biden Administration's regulations and guidelines on cybersecurity are about to become very real, very fast. Through an Executive Order on Improving the Nation’s Cybersecurity in May and various voluntary industry sprints such as 100-Day Plans, mandatory TSA pipeline security directives and most recently, critical infrastructure control systems performance guidelines, the administration is making good on its commitment to “leverag[e] every authority” . . . and outline “approaches, both voluntary and mandatory” to raise the level of cyber hygiene across all critical industries. Most recently, the National Institute for Standards and Technology and the Cybersecurity and Infrastructure Agency issued “preliminary cybersecurity goals” for critical infrastructure control systems.
Companies that operate and depend on industrial control systems (ICS) and operational technology (OT) need to determine how the goals and various downstream ripples will affect them, what they need to do to comply and how to show regulators a plan that proves they are taking the right kind of action.
This is a good idea for two reasons. First, taking these actions will help companies become more secure and more resilient. Of that there is no doubt. Second, companies that don't act could be opening themselves up to a host of regulatory and or legal liability issues should an incident occur. And since major cybersecurity incidents are occurring on an even more regular basis (indirect attacks in the supply chain are now accounting for 40 percent of cybersecurity breaches*), we believe companies that conform to the new standards or are working from a plan to meet the standards will be ahead of the game. We anticipate that voluntary standards will eventually become mandatory or at the very least de facto standards.
Accenture has been working with our critical infrastructure clients to provide proactive feedback on proposed regulations and guidelines and has been monitoring all their downstream effects. It is clear companies need a diagnostic tool that maps their existing cybersecurity capabilities against new and developing rules and regulations, identifies inevitable gaps and helps with a proactive plan to implement additional cybersecurity resiliency and address the gaps.
Questions you should consider include:
Accenture has developed a new diagnostic capability, along with reference architectures, accelerators and mapped-out controls, to answer all these questions and to help companies take efficient, economical action. It's specific to the new performance goals and is aligned to critical infrastructure sectors. Notably, it doesn't stop at helping companies prepare for what's happening today. It is informed by our insights into what companies need to be ready to smoothly adapt to other changes coming down the road.
Let’s be honest; it won’t be easy. But we also know our diagnostics-based approach and frameworks will make it as seamless and painless as possible, while helping organizations become more secure and resilient.
Accenture’s viewpoint is to remediate gaps as quickly, efficiently and financially prudently as possible. Be prepared, now and for whatever comes next.
*Accenture’s third annual State of Cyber Resilience
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.