By Cohesive Networks COO Dwight Koop
More of our customers have become concerned about cybersecurity after 2014 – the year of massive data breaches. The 2015 Ponemon Cost of a Data Breach Study, which looks back at 2014 data, now puts the average total cost of data breach at $3.79 million. Yet the worst breaches cost much, much more because of the vulnerable data, lost businesses, costs to repair systems, and legal liabilities. The Sony breach cost them more than $100 Million total, while the 2014 Target breach cost about $110 million and JP Morgan Chase cost $53 million.
To help our customers looking forward to the future of regulation and compliance, I’ve been spending hours going through the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Unlike the millions of other standards out there, the NIST Framework combines the best of existing rules, assessments, regulations and guidelines into a unifying cybersecurity reference guide.
While it’s created for critical infrastructure — banking, transportation, oil and gas, defense, and so on — the standard is applicable to most organizations. The NIST Framework is easy to apply to any organization. Cybersecurity compliance is a shifting target, sometimes lost in the sea of policies, audit checklists, and compliance standards. The NIST Framework offers a useful single reference for organizations to build their own cybersecurity best practices.
Before the NIST Framework — the fog of more
There are literally thousands of documented standards that cover topics from accounting to family privacy rights, from health records to electricity grid control cybersecurity risks. All these standards and protections essentially do the same thing. Imagine reading through the Health Insurance Portability and Accountability Act (or HIPAA to most), but replace any mention of “electronic health record” with “credit card information” and you might suddenly be reading the Payment Card Industry Data Security Standard (PCI DSS).
The Big 10 of the pre-NIST Cybersecurity standards should read like a familiar alphabet soup: CERT, COBIT, CSA, CSET, ISO, NIST 800, PCI, and so on. Working in security for regulated industries brings some familiarity with these rules and governing bodies. One of my favorite lines from my NIST reading was the description of pre-NIST standards as “the fog of more.”
Pre-NIST standards offer competing priorities, opinions, and processes. All these standards and protections essentially attempt to do the same things: protect sensitive data and ensure organizations following the standards are not liable in the case of a data breach. Each one has its own pay-to-play certifications, software tools, vendor benchmarks, and all the trappings of a stodgy cybersecurity officiousness.
A history — why we needed yet another standard
Presidential Executive Order (EO) 13636 kicked off the process of creating the NIST Cybersecurity Framework in 2013. The signed order called for improved cybersecurity for the nation’s critical infrastructure. The order also specified that the Department of Homeland Security (DHS) would consolidate its authority over security while very actively involving private sector subject-matter experts and private companies to develop the Framework.
The NIST Framework ratifies the move from traditional audit-focused policies toward a more risk-based approach. The traditional procedures focused on audits, compliance objectives, policies, and transactions. Now, a risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences.
Part of the Executive Order’s mandate to organize and coordinate the Framework is that DHS must increase information sharing, protect privacy and civil liberties, identify the greatest risks, and of course outline the needs for additional government funded research. Knowing the shift toward risk-based standards, the NIST group brought in private sector consultants and experts, per the Executive Order. And fittingly, the politics of the Order and NIST Framework made sure to write in that the Framework should have voluntary adoption with incentives, or as we in the real world call them regulations, but I digress…
Why the NIST Cybersecurity Framework works
I believe the NIST Framework is an important advance in improving our cybersecurity. Why? While it is yet another, redundant standard it is a unifying single document. It is sponsored through DHS’s mandate, and combines the authority of hundreds of U.S. governmental agencies and regulatory authorities. The Framework is a process for enterprises to begin or update their risk-management approach to their defense in depth.
So, no the NIST Framework is not a technical in-depth solution to the cybersecurity mess. It does cover a wide range of industries and potential risks. The Framework is not designed for small businesses, but massive critical infrastructure firms like nuclear facilities, the global banks, and defense manufacturers. I believe any organization can use the Framework as a jumping off point to establish a unique internal cybersecurity standard.
As more organizations consider and move to cloud, IT teams will need a guide to cybersecurity that works to both secure critical systems and pass industry standards. The NIST Framework can help teams get started, but all organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security. That’s why I’m writing a white paper on the NIST Framework with 7 actionable steps to apply the NIST Cybersecurity Framework to your organization. Stay tuned for updates.
[edit Aug 12, 2015: The white paper is out, with a customer use case. Read about our guide to the NIST Framework here: cohesive.net/nist and check out the ongoing series on cybersecurity on Medium: https://medium.com/cybersecurity-war-stories ]
By: Margaret Valtierra