In the past, developing a cybersecurity policy and strategy for an organization involved digesting multiple standards, regulations and assessments. This usually meant deciding on competing priorities with the resulting strategy being compliance based. This was not only challenging but ultimately ineffective. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has changed that, with a single reference point focused on proactive, risk based information security.
Since 2014, massive data breaches have become a common feature of the news. The huge amount of money at stake – Sony’s was $100 million, Target’s about $110 million – means that more and more companies are taking their information security seriously. This also signals a future of increasing regulation and compliance issues for the organizations involved.
Writing for Information Security Buzz, Dwight Koop discusses the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Framework combines the best parts of existing assessments, regulations, and standards into one, actionable reference guide.
While technically this was created for critical infrastructure – banking, transportation, etc. – it is applicable to most organizations, and there aren’t many that won’t find this useful. Compliance in the world of cybersecurity is an ever-shifting target, and it is easy to become lost in a sea of policies, audit checklists, and compliance standards.
The NIST Framework is useful precisely because it offers a single reference for organizations to build their own best practices from. Before this, standards originating from regulated industries offered competing priorities, opinions, and processes. This became needlessly confusing to all those involved. If the outcome is essentially the same—protect sensitive data and ensure organizations are not liable in the case of a data breach—then why aren’t all the efforts combined and the scope broadened to include all organizations?
Why is another standard needed? The signed order EO 13636 kicked it all off. It specified that the “Department of Homeland Security (DHS) would consolidate its authority over security while actively involving private sector subject-matter experts and private companies to develop the framework.”
The major aspect of this is that it signifies an industry shift away from the traditional audit-focused policies towards a more risk-based approach. A risk-based approach to cybersecurity focuses on business and customer outcomes rather than audits, compliance objectives, policies, and transactions. The risk-based approach emphasizes much more proactive risk management over the purely reactive compliance tracking.
The NIST Framework is an important advancement in improving cybersecurity standards. It combines the knowledge and authority of literally hundreds of US governmental agencies and regulatory authorities, yet it is not a checklist. It is an in-depth process to allow organizations to update their risk-management approach to information security.
This is more important as companies increasingly move onto the cloud. IT teams will need a guide to help them improve their standards, secure critical systems, and pass industry standards. The NIST Framework is the perfect way to get IT teams started, because all organizations deserve clear guidelines to enable a practical and honest approach to security.
Summary
- The NIST cybersecurity framework is designed to protect against small and large scale data breaches
- It combines current but disparate assessments, regulations and standards
- It is a risk based approach to data security
- NIST was developed for critical infrastructure but can be used by any organization
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”