Keeping Up with Cybersecurity FrameworkOrganizations Fall Short on Achieving Framework's Goals
And that observation comes as some critics gripe that the framework is quite basic, too simple to be effective to protect critical infrastructure. That's an arguable point, one that the framework's point man, Adam Sedgewick, disputes.
But even if it's too basic, many see great value in the framework, issued in February as a guide to critical infrastructure owners that they could voluntarily adopt (see NIST Releases Cybersecurity Framework). Are infrastructure owners adopting the framework? That's a question Rep. Jim Langevin, D-R.I., wants answered, and earlier this week he persuaded his colleagues in the House to support a survey of infrastructure operators to find out just that.
Where are most organizations failing in implementing basic cybersecurity protections? PricewaterhouseCoopers identifies 45 IT security practices, policies and technologies that correspond with the cybersecurity framework, but in only seven of them did at least half of the respondents' organizations implement those practices, policies and technologies. The seven widely adopted practices, policies and technologies are:
- Including cyber-risks in enterprise risk-management programs;
- Adopting an intrusion detection system;
- Implementing account/password-management policies;
- Deploying an intrusion prevention system;
- Having a formalized plan outlining policies and procedures for reporting and responding to cyber-events;
- Devising a methodology to determine the effectiveness of security programs;
- Regularly monitoring, inspecting and comparing outbound network traffic against threat intelligence.
4 Steps to Get Started
Areas where most enterprises fall short in meeting framework goals: employing a chief information security officer, implementing a supply chain risk management program, deploying security information and event management technologies and monitoring employees.
PwC characterizes the framework as a tipping point in the evolution of cybersecurity, one that emphasizes and encourages a proactive risk management approach that builds on standards and compliance, and encourages its adoption as a key tool to manage and mitigate cyber-risks.
And, cyber-risk has a big impact on any organization's bottom line, requiring more than just technologists and IT security specialists to be engaged in safeguarding information assets. After all, without secure IT, no organization can function. When the White House unveiled the framework in February, it said the guide offers a way to better communicate to CEOs about how to manage cyber risks.
It's a point made by Shane Sims, a PwC principal, in an interview about its survey with Information Security Media Group. "CEOs and boards get involved and make this the priority, and they don't relegate it down in a way that makes it less important," Sims says. "... If the CEO treats it as a business risk, the risk management team will consider it that way, and it will become part of the strategy and begin to see the appropriate budget as well at that point."
In the interview, Sims also discusses:
- Eight cybersecurity issues that should concern all organizations;
- Threats posed by business partners and the supply chain; and
- Major cybercriminal threats posed by insiders.
With 27 years of experience in forensic investigation, cybercrime detection, national security and crisis management, Sims leads PwC's practice aimed to help clients investigate active threats to information and infrastructure and develop strategies to protect them. Before joining in 2008, Sims served as an FBI special agent and supervisory special agent for 10Â½ years, investigating cybercrimes, acts of terrorism and economic espionage.
Correction: An earlier version of this story incorrectly said an amendment the House approved appropriated $5 million for a survey of infrastructure operators. According to Rep. Jim Langevin's office, the $5 million in the amendment was intended for the entire Office of Technology Evaluation at the Commerce Department's Bureau of Industry and Security, which would conduct the survey. The $5 million is "a placeholder, not a real dollar amount," a Langevin spokeswoman says. .