By Paul Christman, VP Federal, Dell Software
Just one year ago, President Obama gave us an important new cybersecurity solution.
Its given name is Executive Order 13636, Improving Critical Infrastructure Cybersecurity. That’s a mouthful, so we just call it the NIST Cybersecurity Framework.
Still in its infancy, we’re seeing the Framework grow right before our eyes. It provides agencies with an important new risk-based approach for developing and improving cybersecurity programs and serves as a collection of best practices.
Learning to Walk
But there is no one-size-fits-all solution for cybersecurity. To get the most out of the Framework, agencies must understand what is at the top of their agenda and what cybersecurity and IT challenges are unique to them.
Agencies have to crawl before they can walk.
While there may be some growing pains, steps taken now to follow the Framework will help agencies get up and running.
As many as 52 percent of Federal executives say their agency is the target of cyber intrusions multiple times each month or more, and 30 percent say they are a target multiple times each day, according toDell-sponsored research by the Government Business Council (GBC). No agency can build a fool-proof defense overnight to prevent cyberattacks, but the Framework can help organizations begin to see benefits quickly.
The Framework’s assessment tool helps agencies determine their cybersecurity capabilities and set goals for their future defense through three primary components: Profile, Implementation Tiers, and Core.
NIST suggests four ways that an organization might use the Framework:
- To conduct a basic review of cybersecurity practices
- Establish or improve a cybersecurity program
- Communicate cybersecurity requirements to stakeholders
- Identify new or revised references for solutions
A Good Education
A firm foundation for ensuring cybersecurity also starts with workforce education, and creating a common lexicon allows more employees to better collaborate and combat against cyberattacks. Enter the Framework. A common language “for cybersecurity will also enable security leaders to effectively communicate practices, goals, and compliance requirements with third-party partners, service providers, and regulators,” according to PricewaterhouseCoopers.
Avoiding the Terrible 2’s
NIST will continue to raise awareness of the Framework through partnerships with other organizations. A main priority will include developing and disseminating information and training materials to advance the use of the Framework.
The more the Framework is viewed as a collaborative endeavor aligning business processes with government, the more likely it is that organizations will embrace this risk-based approach.
Even though the Framework is just one year old, there is already a growing consensus that it is becoming the de facto standard for cybersecurity and privacy regulation. If adopted universally, it could alter legal definitions and security requirements going forward.
It will be interesting to watch the Framework grow and see how it improves cybersecurity throughout industry in the years ahead.
An update on the Framework can be viewed here.
Curious where your organization stands on NIST’s first birthday? Find out by taking our self-assessment survey.