The National Institute of Standards and Technology will this month release the first official draft of the Cybersecurity Framework produced in response to US President Barack Obama's executive order issued February.
The Framework consisted of standards, methodologies, procedures, processes and guidelines designed to help businesses address risks and develop a plan to improve their security posture.
It aimed to reduce the large number of data breaches but NIST had no regulatory or statutory authority to enforce its use.
Making cyber security a top priority starts at the top. Until board members and executives view security as a real business issue, a voluntary framework will get little traction.
The Framework can encourage business leaders to make security a top priority by including information that is relevant to their specific business.
In the current outline, the guidelines appear to have an overarching view that any business should be able to use it. It does include a section that addresses the ability of organizations to pick which standards are the most relevant to them, however, NIST should go one step further and develop frameworks for specific industries.
For example, draft guidelines that speak to business leaders in the financial, electricity and oil and gas industries. Compartmentalizing the industries will be more effective in getting the right people to pay attention since the information caters to their specific business.
Within each framework there should be information identifying weaknesses typically found in a business' security that needs remediation before it's too late. For example, according to the “2013 Trustwave Global Security Report,” the average time for a business to realize it had been breached was 210 days.
Most victim organizations took more than 90 days to detect an intrusion, while five percent took three or more years to identify criminal activity. This is a major weak spot in security.
As businesses continued their daily operations they had no idea criminals were stealing their sensitive, private information, as well as, monitoring and reading e-mails and virtually spying on employees.
If they had technologies that identified an attack and immediately sealed the network stopping malware from spreading, or better yet, blocked malware from even entering into the network to begin with, the victim organizations would not have faced months of data loss and damage.
It should reveal these types of weaknesses and others that business leaders may not even realize exist within their infrastructure. Additionally, it should also make recommendations regarding how business leaders can remediate the problem.
During the development phase, NIST should create a list of questions that bring to light essential elements of security that cannot be overlooked. Answers to those questions should be included in the guidelines to help business leaders as they structure their security plans.
Questions should include - what are the most common security risks among businesses within that particular industry? What should business leaders do to identify those risks? How can business leaders measure the effectiveness of their current security plan? What actions should leaders take to minimize their business's risk and improve their security posture? How can businesses that provide critical infrastructure share security and risk information for the greater good, namely our national security?
By answering these questions, the Framework helps businesses create a holistic plan that meets their security needs.
Finally, when developing the Framework, NIST should look at what is and is not working in regards to other industry security standards.
PCI DSS, which mandates businesses that store, process or transmit cardholder data follow certain requirements in order to protect their customers' information from being stolen, is a good start and continues to incrementally raise the bar.
However, PCI DSS is the floor, not the ceiling when it comes to security. The bar should be even higher for the Framework so that businesses understand the building blocks of an effective security plan, not just the base.
Ultimately, it's tough getting people to follow a framework that is voluntary. Although if the Framework includes information and guidance that is easy to understand and relevant to business leaders, it may work. Either way, we appreciate NIST's efforts in making cyber security a front burner issue.
