The 'must haves' to make the Framework for Cybersecurity useful
Phillip Smith, senior vice president of government solutions, Trustwave
This month, the National Institute of Standards and Technology (NIST) is scheduled to release the first official draft of the Cybersecurity Framework. NIST produced the guidelines in response to President Obama's executive order issued February. The Framework consists of standards, methodologies, procedures, processes and guidelines designed to help businesses address risks and develop a plan to improve their security posture.
The goal of the Framework is laudable. The many news stories revealing company data breaches indicates businesses need a different approach when it comes to protecting valuable information. However, since NIST has no regulatory or statutory authority to enforce its use, the Framework must include specific information and guidance that business leaders will want to follow – information that is easy to put to use and indicates an immediate need for a thorough cyber security plan.
Making cyber security a top priority starts at the top. Until board members and executives view security as a real business issue, a voluntary framework will get little traction. How can the Framework encourage business leaders to make security a top priority? By including information that is relevant to their specific business. In the current outline, the guidelines appear to have an overarching view that any business should be able to use it. It does include a section that addresses the ability of organizations to pick which standards are the most relevant to them, however, NIST should go one step further and develop frameworks for specific industries. For example, draft guidelines that speak to business leaders in the financial, electricity and oil and gas industries. Compartmentalizing the industries will be more effective in getting the right people to pay attention since the information caters to their specific business.
Within each framework there should be information identifying weaknesses typically found in a business' security that needs remediation before it's too late. For example, according to the “2013 Trustwave Global Security Report,” the average time for a business to realize it had been breached was 210 days. Most victim organizations took more than 90 days to detect an intrusion, while five percent took three or more years to identify criminal activity. This is a major weak spot in security. As businesses continued their daily operations they had no idea criminals were stealing their sensitive, private information, as well as, monitoring and reading e-mails and virtually spying on employees. If they had technologies that identified an attack and immediately sealed the network stopping malware from spreading, or better yet, blocked malware from even entering into the network to begin with, the victim organizations would not have faced months of data loss and damage. It should reveal these types of weaknesses and others that business leaders may not even realize exist within their infrastructure. Additionally, it should also make recommendations regarding how business leaders can remediate the problem.
During the development phase, NIST should create a list of questions that bring to light essential elements of security that cannot be overlooked. Answers to those questions should be included in the guidelines to help business leaders as they structure their security plans. Questions should include - what are the most common security risks among businesses within that particular industry? What should business leaders do to identify those risks? How can business leaders measure the effectiveness of their current security plan? What actions should leaders take to minimize their business's risk and improve their security posture? How can businesses that provide critical infrastructure share security and risk information for the greater good, namely our national security? By answering these questions, the Framework helps businesses create a holistic plan that meets their security needs.
Finally, when developing the Framework, NIST should look at what is and is not working in regards to other industry security standards. PCI DSS, which mandates businesses that store, process or transmit cardholder data follow certain requirements in order to protect their customers' information from being stolen, is a good start and continues to incrementally raise the bar. However, PCI DSS is the floor, not the ceiling when it comes to security. The bar should be even higher for the Framework so that businesses understand the building blocks of an effective security plan, not just the base.Ultimately, it's tough getting people to follow a framework that is voluntary. Although if the Framework includes information and guidance that is easy to understand and relevant to business leaders, it may work. Either way, we appreciate NIST's efforts in making cyber security a front burner issue.