A report from the he National Association of Corporate Directors (NCD) shows that a majority of board members are unhappy with how management teams report corporate cybersecurity risks. Undoubtedly, a driving force for the board-level pressure is the terrifying amount of negative cybersecurity stories in the news.
Protecting Data or Protecting the Process?
The past two years saw massive breaches at Target, Sony, Anthem healthcare, and JP Morgan Chase. Shockingly, most of these organizations should have been compliant with some type of standards or security protections that require IT teams to protect sensitive data. Yet the $162 million Target data breach shows that PCI compliance was not enough for the company in late 2013.
One of the most memorable comments from the documentation is the description of pre-NIST standards as “the fog of more.” That fog covered industry-specific standards with competing priorities, opinions, and processes. Standards in the U.S. alone offer thousands of options for certifications, proprietary software tools, approved vendor benchmarks, and all the trappings of stodgy cybersecurity officiousness.
In the last two years, we have seen a shift in companies’ needs. Whereas before they looked to implement documentation in order to pass compliance audits, now IT teams seek actionable cybersecurity plans that can prevent costly data breaches. As our customers search for guidance with security and ask for practical advice, we developed a white paper so any organization can use the NIST Framework for its cybersecurity needs.
Shift from Audit-Heavy Compliance to Risk-Based Security
There has been some positive cybersecurity news though: the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Rather than focus on compliance tracking, the NIST Framework encourages IT teams to prevent risks and incorporate diverse knowledge and experiences. This shift from traditional audit-based standards toward more risk-based prevention will catch on in the U.S., not just in the critical infrastructure segments under the Presidential Executive Order (EO) 13636, but across the country and even the globe.
President Obama’s Executive Order directs the Department of Homeland Security (DHS) to “increase the volume, timeliness, and quality” of cybersecurity threat reporting critical infrastructure. Two main mandates of the Order are for the DHS and NIST to actively involve private sector subject-matter experts and enterprises in the Framework development.
Organizations of all sizes and industries can use the Framework to asses current cybersecurity capabilities, then use it to set goals to improve and maintain security. Because it is an ongoing work of collective industry knowledge, the Framework has huge potential value for any organization looking to improve cybersecurity.
Want to learn more about applying the NIST Framework to your security operations? Get in touch with the Cohesive team.
By: Margaret Valtierra