Why All Enterprises Should Adopt the NIST Cybersecurity Framework
More of our customers have become concerned about cybersecurity after 2014 — the year of massive data breaches. The Sony breach cost more than $100 Million total, while the 2014 Target breach cost about $110 million and JP Morgan Chase cost $53 million.
To help businesses looking forward to the future of regulation and compliance, I’ve been spending hours going through the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Unlike the other standards out there, the NIST Framework combines the best parts of existing assessments, regulations, and standards into one actionable reference guide.
While it was created for critical infrastructure — banking, transportation, oil and gas, defense, and so on — the Framework is applicable to most organizations. The NIST Framework is easy to apply to any organization. Cybersecurity compliance is a shifting target, sometimes lost in the sea of policies, audit checklists, and compliance standards. The NIST Framework offers a useful single reference for organizations to build their own cybersecurity best practices.
Before the NIST Framework, Cybersecurity standards in security for regulated industries offered competing priorities, opinions, and processes. The outcome was the same: protect sensitive data and ensure organizations are not liable in the case of a data breach. Why not combine efforts and broaden the scope to all organizations?
A history — why we needed yet another standard
Presidential Executive Order (EO) 13636 kicked off the process of creating the NIST Cybersecurity Framework in 2013. The signed order called for improved cybersecurity for U.S. critical infrastructure. The order also specified that the Department of Homeland Security (DHS) would consolidate its authority over security while very actively involving private sector subject-matter experts and private companies to develop the Framework.
The NIST Framework signifies an industry shift from traditional audit-focused policies toward a risk-based approach. Traditional procedures focused on audits, compliance objectives, policies, and transactions. Now, a risk-based approach of cybersecurity focuses on business and customer outcomes. Risk-based security emphasizes proactive risk management over reactive compliance tracking.
I believe the NIST Framework is an important advance in improving our cybersecurity. Why? While it is yet another, redundant standard, it combines the authority of hundreds of U.S. governmental agencies and regulatory authorities. The Framework not a checklist but a process for organizations to assess or update their risk-management approach to their defense in depth.
The NIST Framework does cover a wide range of industries and potential risks, so it is an excellent jumping off point to establish a unique internal cybersecurity standard.
As more organizations consider and move to cloud, IT teams will need a guide to cybersecurity that works to both secure critical systems and pass industry standards. The NIST Framework can help teams get started, but all organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security.