A new member of my organization, Kent Landfield, led the McAfee delegation working on the NIST Cybersecurity Framework. Here is Kent’s response to the process and the product:
This week the National Institute of Standards and Technology (NIST) presented the White House with its Cybersecurity Framework, intended to reduce the cyber risk to the nation’s critical infrastructure, as called for by the President’s Executive Order 13636 issued a year ago. This collaboratively developed, completely voluntary framework is designed so that organizations – especially those providing critical infrastructure – can better assess and bolster their cybersecurity.
As both an active participant in the framework development process and someone who’s worked with government for many years, I can honestly say I’ve rarely seen an effort that’s been as open, collaborative and consensus-based as this one. Rather than coming in with pre-conceived plans, NIST started this initiative from the ground up, seeking industry’s perspectives and learnings from the beginning. Industry really drove this process, which is as it should be because it’s industry’s responsibility to secure most of the nation’s critical infrastructures. The folks at NIST deserve a tremendous amount of credit for managing this massive amount of collaboration – five meetings in five different cities and thousands of pages of comments – in a relatively short time.
While the product is called a framework, it’s actually a tool: a tool that allows organizations to rank and rate their security posture across the tiers for all the outlined functions, categories and sub-categories. If they’re honest with themselves, organizations should end up with a useful picture of where they are security-wise. The tool then helps them improve their security programs, security practices and technology environment by using the same mechanism to identify where they want to be. The delta between the two provides a means to identify a roadmap for improvement. It also serves another key function, and that’s communication.
To the extent the cybersecurity framework becomes a tool for translating cybersecurity into common language, it will be a tremendous success. We have never had a language to communicate cybersecurity in a way that technologists as well as executives and board members can equally understand. This is important in and of itself, because C-suite executives can’t manage risk if they don’t explicitly understand what the risks are. The framework that industry and NIST have developed should enable conversations and dialogues followed by appropriate risk-based decisions.
And if organizations use the cybersecurity framework as a tool, they will improve; there’s no question about it. The framework lays out a clear five-step process: identify, detect, protect, respond and recover. Most small and medium-sized businesses should proceed in that order and not think about jumping from “identify” to “respond.” The identification stage is very important, and organizations should feel comfortable starting with exactly that. Each business will make its own decisions about what is important: what systems and data can incur the least or most amount of cyber risk. Having made those decisions, they can proceed further.
Will the Administration do even more to facilitate organizations’ cybersecurity readiness? Our understanding is that they will, and we look forward to those efforts. But we shouldn’t lose sight of the significant accomplishment we have right here in front of us. The nation now has a tool for organizations to assess their own cybersecurity positions, and this will help them understand – and communicate – their areas of strength and weakness. The Administration has facilitated this process in a way that incorporated the talents of the public and private sectors, they’ve steered clear of regulation, and they’ve produced a common roadmap for moving forward. Yes, there’s much more work to do, but we should be mindful of the success we’ve had to this point and not take it for granted. To everyone who participated, well done!