Checking in on the NIST Cybersecurity Framework
A year after its introduction, the NIST Framework for Cybersecurity sees support and speculation.
Today marks the one-year anniversary since the release of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Anniversaries are good opportunities to reflect on the past and look ahead to the future, so let’s examine the Framework and its progress.
In the year the Framework has been out, it has received support across government and industry; its effectiveness also has been questioned by the same groups. The question we must ask ourselves is whether tools, such as the Framework, will ultimately help organizations improve their security postures and make it more difficult and expensive for attackers to identify and exploit weaknesses.
Those who feel the Framework falls short in its ability to make a difference in the cybersecurity war miss a few key points:
From the perspective of CA Technologies, there has been significant progress in the way organizations think about cybersecurity. There is increasing awareness from the Board Level to the C-Suite to front-line technicians about the critical role cybersecurity plays in an organization’s overall risk management program. Cybersecurity is no longer just a concern of the organization’s IT department. It is now central to how a business operates. The Framework has created a common lexicon for all levels of an organization to communicate threats, risks, priorities, and action plans.
Organizations now better understand the costs of breaches, including direct costs, in terms of mitigation, and indirect costs, such as reputational harm. These potential costs provide a powerful market incentive to improve security. The flexibility inherent in the Framework allows these organizations to prioritize security decisions based on their own unique assets and risks, which will vary depending on the organization and its mission and market.
We are seeing different critical infrastructure industry sectors, including the telecommunications sector, the energy sector and others work to align their own security guidance with the Framework. This not only allows organizations within sectors to use common Framework terminology, but also enables them to communicate in a common way using similar language with customers, suppliers and across sectors, which is crucially important given the global economy.
In addition, some state governments, including Virginia and Pennsylvania, have announced their intention to use the NIST Framework to guide their information security programs; federal agencies, including the Department of Energy, the Department of the Treasury and the Department of Commerce and independent regulators, including the Federal Communications Commission and the Securities and Exchange Commission have increasingly cited the terminology and security best practices of the Framework; and international governments, including the European Union and the UK Government have embarked on initiatives to partner with NIST in promoting common international security standards.
Every breach that hits the news reminds us that we have a long way to go to improve our collective cyber defenses. The Framework establishes standards, guidelines and practices to promote the protection of critical infrastructure. However, it is important to note that the Framework has only been out a year, and that Congress just finalized legislation in December to codify the Framework development process.
Organizations are still analyzing the Framework to better understand how it applies to them. They are mapping their current security practices against the guidance of the Framework and are prioritizing action plans. And they are communicating these plans with their Boards of Directors. These are positive developments and demonstrate a commitment to address the critical issue of cybersecurity.
The corporate culture around cybersecurity is changing. Government, academia and the private sector must continue to drive this change by raising awareness of the cyber threat environment and educating organizational leaders about tools such as the Framework.
Have you spoken to your CEO or board of directors about cybersecurity? What are their views? Leave me a comment below to share your experience.