The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its draft of a voluntary cybersecurity framework last Tuesday that provides a means to better evaluate cyber risk, and prepare better defenses against ever-increasing online attacks.
NIST’s “Preliminary Cybersecurity Framework”, to be finalized in February 2014 after a period for public comment, originated with Executive Order 13636 from President Barack Obama, which identified cyber threats to critical infrastructure as “one of the most serious national security challenges”. The Executive Order specified that NIST should produce a framework document. The new framework sets out specific steps and best practices for organizations of all sizes so they can better protect the country’s critical infrastructure.
However, protecting the country’s critical infrastructure isn’t the only use of this Framework. With the pervasiveness of cyber-threats to a company’s information assets, officers and directors of companies who rely heavily on those assets have a duty to protect them. The challenge is that while the security knowledge domain is fairly mature and robust, that knowledge domain is normally not in the Board or C-Suite. Consequently, it is difficult for business leaders and management to effectively understand what risks they face and how they might be able to mitigate them.
The government’s document sets out a risk-based approach to understanding and mitigating cyber-threats. IT starts by outlining five basic functions for security strategies: identify, protect, detect, respond, and recover. This serves as a model that companies can use to tailor to their own, more specific cybersecurity response strategies. The framework sets out standards and best practices at a high level, but it remains up to companies and their cybersecurity teams to create their own risk profiles and determine what are the gravest threats they face.
The framework is a good start. In structure, it resembles other business oriented risk matrices. The framework is broken into a “Core” (the desired outcomes of any strategy) a “Profile” (a means to describe the current state of the strategy, and the desired target state – thus allowing for an easy gap analysis), and “Tiers” (a description of the maturity level of the strategy). These three components of the framework give a common language for non-security business leaders to discuss and address cybersecurity.
The framework does have some limitations. Currently, the content which comes bundled in the framework doesn’t fully explore the heavily interconnected nature of modern business and technology delivery models. Traditionally, business or technology delivery were “point-to-point” (e.g. you bought a computer, or you received a service from, *a* company. You knew who you were dealing with at any given point in a transaction). Now, most businesses have a multi-layered delivery model – even for hard goods like phones and network gear.
Consequently, supply-chain management is much more a risk vector than it has been in the past. Any security framework will need to recognize this ecosystem and provide techniques to deal with it. At present, additional content will need to be added to the Framework to take into account the non-linear and multi-layer delivery models of a public or hybrid cloud service provider.
Regardless, the Framework gives a good starting point for a “management-friendly” tool to attack the risks inherent in the information age. Historically, an “ideology of plausible deniability” seemed to be the norm in board rooms. This is no longer the case. The minimum standards of care established by the government’s plan help show that information security is a risk that needs to be managed just like financial reporting. At the end of the day, this may lead to an increase in class actions against companies over their real or perceived cybersecurity shortcomings. It is not merely an issue left to the folks in IT – it is now a Board responsibility, and this Framework actually does provide a good starting point for the Board to take up that responsibility.