In an earlier blog post, Ed Perkins, the developer of the Certified Enterprise Risk Manager® - Cyber Security™ certificate, described the current cybersecurity landscape for industry and provided an overview of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. In this second half of APQC’s conversation with Perkins, he discusses how organizations can use the Cybersecurity Framework to address risk.

Learn more by viewing the webinar slides.

In your experience, have companies embraced the NIST Cybersecurity Framework?

Federal agencies, critical infrastructure operators, state and local governments, tribes, and those that interface with federal information systems are now starting to use the framework.  

As more systems interface with federal systems, we believe that there will be more widespread adoption, either voluntarily or through some form of statute or rule making.  The Cybersecurity Framework (CSF) process supports existing standards and practices so it is not so much learning something new, but rather learning the process and how to apply risk management practices to the design of cybersecurity systems. 

For example, the U.S. Department of Defense has announced it is adopting the CSF. One important aspect is that the framework has redefined the conversation about cybersecurity. Cyber insurance is becoming available; we expect to see cyber insurance policies relying on the CSF as a condition of underwriting. Also, the U.S. Securities and Exchange Commission is now requiring disclosure of operational (e.g., cybersecurity) risks by public companies. It may turn out that, over time, following the framework will help companies in this regard.

What are the challenges of implementing the NIST framework?

The framework, like most standards, is descriptive, not prescriptive, so the details of how to implement it are left to the organization to figure out. This is by design, since if the government had prescribed a set of cybersecurity practices, there would have been vigorous protests. In fact, prior to the president’s order, there had been yearly attempts in Congress to pass some type of cybersecurity legislation about data breach notification and sharing, but nothing was approved due to ideological differences about the various approaches.

The CSF introduces the concept of tiers and profiles, which are designed to allow an organization, after it assesses its cybersecurity risks, to decide the degree of rigor and sophistication it wishes to employ in its cybersecurity system, and to develop a plan of its current and future cybersecurity postures for various aspects of its operations. How to develop tiers and profiles, and what they should contain, is not specified in the CSF.

Included in the Presidential Executive Order creating the framework was a requirement for assessment of issues and barriers in voluntary adoption and analysis of what incentives might be offered and legislation might be developed if needed to address those incentives.

Many organizations have experienced data breaches in recent years. Do you see this framework as helping organizations provide security and resilience to its critical infrastructure?

Yes. The framework was developed by experts in consultation with experts. It defines a process for organizations to follow in developing cybersecurity systems. The process is top-down: it starts at the enterprise level and aligns with business objectives down to operations. Sometimes organizations believe if they focus on compliance, they have a cybersecurity system. But a cybersecurity system is much more than compliance. It needs to be more comprehensive. By requiring a risk-based approach, organizations following the framework should be able to take a more proactive, predictive, preventive, and preemptive approach to a more comprehensive cybersecurity system.  

What should companies consider as they think about potential cybersecurity risks?

Companies need to learn and practice risk-based decision making and risk-based problem solving when assessing cybersecurity risks. This requires some discipline to avoid decision traps such as biases and framing errors. Ask “what if?” Most organizations today run on their information systems and IT infrastructure. If that were compromised everything could stop. Does upper management understand that? Have all the critical data been identified? Has who gets access to what information been reviewed?  How about stress testing systems? How ongoing monitoring and continuous improvement be implemented? How will it be assured that the system is working as expected? 

Our mantra is “Everyone is a risk manager, and more importantly: everyone is cyber risk manager.”