It May Be Voluntary, but NIST Framework Is a Crucial Cyber-Security Tool

Even as the businesses world battles a daily barrage of cyber-threats, no shortage of guidance exists for how they should protect themselves. Despite the abundance of IT security frameworks out there, the attacks keep on coming and companies are continually asked to do even more.

The most notable framework in 2014 has been the National Institute of Standards and Technology’s proposal, released in February. This time, however, efforts to study and implement it feel a bit different.

To understand what the NIST Framework is, it helps to first understand what it isn’t. It is not a list of written-in-stone demands; it is not a check-the-box compliance exercise, nor even very rigid in its objectives. Rather, the framework—developed over two years with input from more than 3,000 business leaders and IT experts—is a collection of voluntary protocols aimed at “critical infrastructure sectors” as defined by the Department of Homeland Security: chemicals, water treatment, telecommunications, energy, and banking.

The framework is not very technical, either. Weighing in at a mere 17 pages (after slicing out appendices and such), it is written in plain English that any non-technical business leader can understand. “NIST has done a good job of distilling this whole broad and deep arena of cyber-security down to five words: identify, protect, detect, respond, and recover,” says Randy Sabett, vice chair of the law firm Cooley’s privacy and data protection practice group. “These are things which just about any audience can comprehend.” Each of these categories is mapped to specific tasks and business practices.

“In a sea of ways to measure security programs, NIST brings relative simplicity, comprehensiveness, and clarity to a very important question,” David Burg, PwC’s global and U.S. advisory cyber-security leader, says. “It is going to increasingly become the security standard by which companies will measure themselves.”

Sabett likens the NIST framework to a greatest hits compilation of other IT and cyber-security frameworks, such as COBIT, SAS, COSO and ISO 27001. “It is more a repackaging of a lot of what is already out there, and taking it to a different level,” he says.

Companies are already using the NIST framework to tie together existing regulatory demands and industry standards, says Rene Moreda, director of business development for the energy and utilities sector at BAE. “They are mapping industry requirements to the cyber-security framework and leveraging the framework as a complement to the regulations.”

Making It Work

Implementation of the NIST framework is meant to be fairly straightforward. It is best viewed as a shift from reactive compliance to proactive risk-management standards, Burg says. Building upon leading practices from various standards bodies, it is meant to evolve in step with changes in cyber-security threats and solutions. The objective is to steer organizations towards an assessment of their current capabilities and deficiencies, to craft a prioritized roadmap toward improved IT security practices.

Moreda sums it up: assess your current risk assessment, create a target profile of where your security needs to be, determine gaps between the two, and develop an execution plan based upon those gaps.

“NIST has done a good job of distilling this whole broad and deep arena of cyber-security down to five words: identify, protect, detect, respond, and recover.”
Randy Sabett, Vice Chair of the Data Protection Practice Group, Cooley

“What is your company doing to manage cyber-security? You need to look around and see what the standard of care is today, because what it looks like today is different than what it looked like a year ago, or 5 years ago, and it’s going to look different a year from now,” says Harriet Pearson, a partner with law firm Hogan Lovells. 

Sabett finds it helpful to slice the framework into 10 action items:

Create a governance structure

Research threats

Prioritize information assets

Perform a risk analysis

Create a security protection plan tied to a technology acquisition strategy

Engage third parties appropriately

Request regular updates and adjust accordingly

Test the response plan

Maintain appropriate insurance coverage

Provide regular cyber-security training for employees, vendors, and other third parties

“If you really want to move the needle with any kind of a business process transformation its fundamental you must have senior executive support,” Burg says. “When viewed properly, cyber-security is a strategic and enterprise risk management issue and ultimately sits with management, which is accountable to the board. We increasingly see boards ask questions like, ‘How do I gain comfort that what a manager is telling me is accurate?’ This conversation really pivots from being one that is purely about technology to one driven by business executives.”

FIVE FRAMEWORK CORE FUNCTIONS

The following is from the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cyber-Security.”
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cyber-security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome categories within this function include: asset management; business environment; governance; risk assessment; and risk management strategy.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber-security event.
The Detect Function enables timely discovery of cyber-security events. Examples of outcome Categories within this Function include: anomalies and events; security continuous monitoring; and detection processes.
Respond – Develop and implement the appropriate activities to take action regarding a detected cyber-security event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber-security event.
The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber-security event. Examples of outcome categories within this function include: recovery planning; improvements; and communications.
Source: National Institute of Standards and Technology.

“The question becomes how does the board and senior management confirm and assure themselves that they have done what they need to do to discharge their fiduciary duties,” Pearson says. “That is the $64,000 question.”

Burg suggests that, in addition to prioritizing risks, companies map those challenges to what’s important to the organization, such as the most profitable business lines. This can help balance security with those business needs. The goal, he says, is to “rapidly identify, respond, and recover without great damage being caused.”

As gaps are identified and mitigated, changes and improvements must be monitored continuously and assessed periodically, Sabett says, to be sure that expected improvements actually solve the problems intended. “You would be amazed at number of companies that don’t test their plans at all.”

Voluntary (for Now)

Businesses shouldn’t backburner the NIST framework because of its voluntary nature, experts warn. “Using NIST now and getting ahead of it could put the company in a much better position if and when the standard goes mandatory,” Burg says. He expects that, over time, its standards will find their way into regulatory examinations.

“The right way to think about this in my view is not whether it is voluntary or mandatory, but is it going to be influential,” Pearson says. “All indications are that it has already become influential and is only going to become more so.”

She notes that even though the framework was intended for the critical infrastructure industries, “it is portable” and already being used by many outside of those sectors.

“Even if they are not mandatory, these standards exist. If you don’t adhere to them and something goes wrong, I can imagine what your stockholders and customers will say, and when they say it may be in court in front of a judge,” says Samuel Visner, general manager for the business consultant ICF International’s cyber-security business.