Putting the NIST Cyber Security Framework to work
Connecting state and local government leaders
Market forces and the fear of liability may ultimately make the voluntary guidelines the de facto standard for public- and private-sector cybersecurity.
Cybersecurity is essential to the nation’s economic health, its critical infrastructure and its national security. It must, therefore, be a priority for the next chief executive and commander in chief of the United States.
It’s no surprise, then, that a number of technology industry associations recently issued an open letter to the 2016 presidential candidates stressing the need for the federal government to continue advancing cybersecurity by leveraging best practices that have proven effective within the private sector.
One of the key recommendations for our next president is to focus on risk management in cybersecurity, which involves identifying, evaluating and either accepting or mitigating uncertainty in security decision making. Risk management enables organizations to make effective cost-benefit choices about how best to defend their information systems.
Last January, I testified at a U.S. House of Representatives subcommittee hearing on how the government can learn from the best private-sector cybersecurity practices. In my testimony, I emphasized that I don’t believe a mandate is the best way to get government IT managers to adopt best practices. Government should instead be encouraging and incentivizing security measures, a key component of which would be working with the insurance industry to jointly develop a cybersecurity risk management strategy, and to adopt the National Institute of Standards and Technology’s Cyber Security Framework (CSF) as a reference model for determining, underwriting and managing cyber risk.
Introduced in 2014 to help critical infrastructure organizations manage and reduce cybersecurity risks and to facilitate communications about cyber risks among internal and external stakeholders, the CSF assesses cyber risk in five distinct functional areas: assets and data inventory, protection mechanisms, detection capabilities, response capabilities and recovery procedures.
By implementing a set of best practices that allows for a wide range of security controls, the CSF elevates the importance of cyber risk management and the need to demonstrate due-care and regulatory compliance. In creating a common vocabulary for risks and controls, the CSF’s value has been recognized by companies in many industries, and has been adopted across the private sector for managing cyber risk.
By leveraging the CSF, the cyber liability insurance industry can better evaluate government agencies’ cyber risk postures, and in turn, lead them to cybersecurity best practices. In fact, my company has already been working with several major cyber liability insurance carriers and brokers to help them adopt the CSF for use in their insurance application and underwriting process. The risk scoring that we’ve developed, based on the CSF, will lead to a more accurate understanding of risk by industry and may eventually help establish a repository for cyber liability actuarial data.
Some of the aspects addressed in our risk scoring methodology include:
- Demographic information, including industry affiliation, type and quantity of sensitive data handled as well as other regulatory requirements and compliance status.
- Controls attestation, determining which controls, and combination of controls, are in place and ensuring that there is adequate cover and balance across the five CSF functional groups and associated categories and subcategories.
- Artifacts that provide evidence that controls are in place. For example, evidence that disaster recovery plans and incident response plans exist and are being used.
As I testified to Congress, market forces and the fear of liability may ultimately make the voluntary CSF guidelines the de facto standards for demonstrating that appropriate care has been exercised by organizations to protect their own networks and data and those of their partners and customers.
It remains critically important that government IT managers get a better handle on the complex process of cyber risk and compliance management. It is equally important that our next president continue to promote and lead the adoption of the CSF, which will increase the cybersecurity of all networks across all sectors in the United States.