Defining Reasonable Cybersecurity: A Guide from the Center for Internet Security

In an era where cyber threats loom large, the need for robust cybersecurity measures has never been more pressing. The Center for Internet Security (CIS) has taken a significant step towards addressing this need by releasing a comprehensive “Guide to Defining Reasonable Cybersecurity” at the RSA Conference this year. This guide aims to clarify what organizations must do to meet the standard of reasonableness in cybersecurity, a concept that has been somewhat nebulous until now.

The Need for Reasonable Cybersecurity

In the United States, laws and regulations are nearly unanimous in requiring that cybersecurity controls must be reasonable. However, until the publication of this guide, there was no universally accepted definition of what constitutes reasonable cybersecurity. Organizations often found themselves navigating a complex landscape of legal requirements and best practices without a clear understanding of their obligations.

The CIS guide, developed in collaboration with experts from both legal and cybersecurity domains, seeks to provide practical and specific guidance for organizations looking to develop a cybersecurity program that meets the general standard of reasonable cybersecurity.

Overview of the Guide

The guide begins with a summary of current Federal and State cybersecurity laws in the United States. It covers a wide range of regulations, including general data security laws, prescriptive laws detailing required security measures, consumer data privacy laws, safe harbor laws, and industry-specific cybersecurity laws. This foundational knowledge is crucial for organizations to understand the legal landscape they operate within.

Following this overview, the authors leverage existing safe harbor statutes and industry frameworks to define reasonable cybersecurity. They outline essential questions that organizational leaders should ask to assess their cybersecurity health and categorize “reasonable” safeguards into six common-sense components:

1. Know Your Environment
2. Account and Configuration Management
3. Security Tools
4. Data Recovery
5. Security Awareness
6. Business Processes and Outsourcing

For those interested in a deeper dive, the complete CIS Guide to Defining Reasonable Cybersecurity can be downloaded here.

What is Reasonable Cybersecurity?

Reasonable cybersecurity refers to the implementation of security measures that are appropriate and proportionate to the risks faced by an organization. This involves a balanced approach to protecting data and systems, taking into consideration factors such as the size of the organization, the nature of the data, and the likelihood and potential impact of a breach. The ultimate goal is to mitigate risks without imposing excessive burdens on the organization.

It is important to note that reasonable cybersecurity is not a one-size-fits-all solution. Each organization must tailor its approach based on its specific circumstances, including the types of data it handles, the potential threats it faces, and the resources available for implementing security measures.

Why is it Important to Define Reasonable Cybersecurity?

Defining reasonable cybersecurity is crucial for several reasons:

Legal Clarity

Clear definitions help establish legal standards for what constitutes adequate protection. This clarity is essential for regulatory compliance and can be pivotal in legal contexts to determine whether an organization has met its obligations.

Risk Management

Understanding what is considered reasonable allows organizations to better assess their own security measures and identify areas for improvement, leading to more effective risk management.

Benchmarking

Clear definitions provide a benchmark for evaluating the effectiveness of cybersecurity measures. Organizations can compare their practices against established standards to ensure they are taking appropriate steps to protect their data.

Accountability

Defining reasonable cybersecurity helps hold organizations accountable for their security practices, ensuring they take their responsibilities seriously and implement measures that are appropriate for their specific circumstances.

Safe Harbor Laws and Cybersecurity

Safe harbor laws offer legal protection to organizations that meet certain cybersecurity standards. If an organization can demonstrate that it has implemented reasonable security measures, it may be shielded from liability in the event of a data breach. These laws encourage organizations to adopt best practices by providing a form of legal immunity, thereby promoting better overall cybersecurity.

For instance, the Ohio Data Protection Act protects companies from lawsuits alleging inadequate security controls, provided they can show they have a documented security program in place that follows an industry-accepted framework. Similarly, the California Consumer Privacy Act (CCPA) includes a Safe Harbor provision that protects businesses from certain penalties if they can demonstrate that they have implemented reasonable security measures.

Benefits for Small Businesses

Small businesses often lack the resources and expertise to implement comprehensive cybersecurity measures. A clearer definition of reasonable cybersecurity can provide them with a focused set of data security areas to:

• Reduce the risk of breaches in a cost-effective manner.
• Demonstrate adherence to an accepted set of requirements/standards in case of legal action after a cyber incident.
• Build trust with customers and partners, assuring them that their information is being handled securely.

The Role of Cybersecurity Frameworks

Cybersecurity frameworks, such as the NIST Cybersecurity Framework and the CIS Controls, offer structured approaches and industry-accepted safeguards to manage cybersecurity risks. These frameworks outline best practices and provide a roadmap for organizations to implement high-impact security measures based on their specific requirements and context. By following these frameworks, organizations can ensure they are taking reasonable steps to protect their data and systems, thereby maintaining a robust cybersecurity posture.

Frameworks also facilitate a common language for discussing cybersecurity, making it easier for organizations to communicate their needs and expectations with stakeholders, including employees, partners, and regulators.

How CYRISMA Supports Reasonable Cybersecurity

CYRISMA was developed with the concept of reasonable cybersecurity in mind. It integrates all the necessary tools to implement essential security controls and assess compliance within a single, user-friendly, and affordable platform.

CYRISMA’s compliance module covers the two frameworks most commonly used by organizations to implement and demonstrate reasonable cybersecurity—the CIS Critical Controls and the NIST Cybersecurity Framework. For those interested in seeing how CYRISMA can help your organization, you can book a detailed demo here.

Conclusion

The publication of the CIS Guide to Defining Reasonable Cybersecurity marks a significant advancement in the quest for clarity in cybersecurity practices. By providing a structured approach to understanding and implementing reasonable cybersecurity measures, organizations can navigate the complexities of legal requirements and best practices more effectively. As cyber threats continue to evolve, having a clear understanding of what constitutes reasonable cybersecurity will be essential for organizations of all sizes to protect their data and maintain trust with their stakeholders.