The last several months have been momentous for cybersecurity regulation. In the U.S. alone during 2022, 40 state or territory legislatures introduced or considered more than 250 bills or resolutions that address cybersecurity in some significant way. Per the National Conference of State Legislatures, common outcomes of this legislation include:
- Requires government agencies to implement cybersecurity training; to set up and follow formal security policies, standards and practices; to have incident response plans in place; to provide mandatory training for employees; and to report security incidents, including ransomware attacks
- Provides funding for cybersecurity programs and practices in state agencies, local governments and schools
- Mandates security practices related to elections
- Establishes or supports programs or incentives for cybersecurity workforce training and education programs
The U.S. Congress was equally active at the Federal level, with several major bills passed and signed into law:
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires “critical infrastructure entities” and federal agencies to report significant cyber incidents and ransomware payments to the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) before 72 hours has passed since the incident (and within 24 hours of a ransomware payment being made)
- Better Cybercrimes Metric Act calls for the Department of Justice (DOJ) and National Academy of Sciences to jointly develop a cybercrime taxonomy for improving tracking and analysis.
- National Cybersecurity Preparedness Consortium Act of 2021 allows the DHS to collaborate with nonprofit entities for designing and implementing cybersecurity training in support of homeland security.
- State and Local Government Cybersecurity Act of 2021 establishes a collaborative relationship between the Department of Homeland Security (DHS) and state, local, tribal, and territorial governments–as well as with corporations, associations, and the general public–for driving cybersecurity education, proactive and defensive security, incident response, and more.
Federal legislation on deck for enactment in the near future includes the Intergovernmental Cybersecurity Information Sharing Act, DHS Roles and Responsibilities in Cyber Space Act, and Cybersecurity Grants for Schools Act of 2022.
The list above, of course, doesn’t include numerous, similar legislative initiatives already in flight around the world!
This Trend is Not Your Friend
The quick takeaway is that this legislative trend is shining a bright spotlight on crowdsourced cybersecurity. Why? Because this trend’s emphasis on proactivity and measurement will influence how cybersecurity strategy is designed and implemented across organizations of every size, type, and industry. And that strategy will create burdens for which few security teams are resourced.
A key part of many of these legislative requirements is to first understand and quantify risk across the attack surface, which for most orgs is now exposed in complex ways that can be hard to grasp. And there is simply not enough hireable talent in the world to meet that goal, much less to remediate the associated risks–especially when challenging assets involving APIs, IoT devices, cloud infra, and Web3 are involved.
Fortunately, crowdsourced cybersecurity is here to help solve that problem (among others)!
Crowdsourcing Do’s and Don’ts
Crowdsourced cybersecurity brings a lot of value to this challenge in theory, but in practice, you have to be thoughtful about your approach:
- Don’t treat crowdsourcing like a consulting project, or use narrow, purpose-built tools (e.g., just for bug bounty).
- Do use a SaaS platform that brings crowdsourcing to multiple security workflows, and layers them for maximum risk reduction.
- Don’t rely on solutions that count on the same leaderboard over and over to deliver results.
- Do rely on one that activates the right crowd for your needs, at the right time.
- Don’t rely on solutions that treat every vulnerability as if they’ve seen it for the first time.
- Do rely on one that has access to rich, historical data to add context for prioritization and remediation.
Don’t let government mandates catch you flat-footed. The Bugcrowd Security Knowledge PlatformTM delivers all the “do’s” above, and more. Read our platform ebook to learn more!