Posted by Sedar LaBarre and Marcia McGowan on February 11, 2014
For Booz Allen, February is a busy, exciting time of year because the firm sends many of its cyber and commercial staff members to participate in the annual RSA Conference as speaker or attendee. However, this February also marks the deadline for the NIST Cybersecurity Framework (CSF), which is one outcome of President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity. We expect the NIST CSF to generate many conversations during RSA, as CISOs at public companies and government agencies continue to think about how it applies to their organization.
The discussion around how to create the CSF has been fascinating, and Booz Allen has joined the conversation because, as part of the defense and consulting industry, our firm also must consider how to use the CSF. NIST has used a very open and transparent process that not only built upon existing cyber security and critical infrastructure protection standards and initiatives, but also brought in new, creative ideas for improving cyber security. The CSF is a good start at providing all organizations with information on practices that should improve overall cyber hygiene.
As we think about the RSA Conference, we expect that many attendees will be wondering about what we like to call “CSF 2.0.” Certainly, more can be done to help organizations build a roadmap from the CSF to their cybersecurity goals and determine if their practices are effective. The CSF’s usefulness greatly depends on each organization’s operating environment, risk profile and resources, and organizations will derive different benefits from the CSF, such as using it as a guide to develop an inaugural cybersecurity program, identifying potential areas for improvement in existing cyber risk management plans or integrating the CSF taxonomy to better communicate with vendors and third parties.
We will see some industries move quickly to use the CSF while other will be more deliberate in their pace as they consider the return on investment and its cost-effectiveness. Some organizations with a long history of investing in cybersecurity and are expected to be early adopters, while others who are only now committing resources to mitigate cyber risks may be slower to use the CSF. Most industries are looking for more evidence that incentives for using the CSF will exist, and we are only now starting to see them appear. For example, some cyber insurance providers are requiring proof that organizations have certain programs and capabilities in place before offering coverage.
While “CSF 2.0” is likely to be quite different from the initial publication, what is clear is that use of the CSF should not become a check-the-box exercise. We can’t afford another set of standards that push us towards that. Security must go beyond compliance and certification, and the CSF is one of many resources that organizations should use to achieve their goal of improving cybersecurity and managing cyber risk as a part of overall business risk. Booz Allen expects more dialogue – throughout all of the RSA Conference – on how the cybersecurity community can bridge the gap between fast-changing technology and risk management so organizations of any type or size in industry and government are prepared for the ongoing waves of cyber attacks.
