A look inside the NIST Cybersecurity Conference
In November, we sent two of our Security Analysts to the NIST Cybersecurity conference in Boston. Anirudh Nadkarni told me that the conference had “a mix of speakers from NIST and other working professionals from the Government and the private sector.They discussed real time applications of the various categories of the framework.“
Since the conference was put on by NIST, most of it dealt with promoting the various frameworks. The NIST CyberSecurity framework was developed in response to a call from the White House for a tool to assist businesses in mitigating their cyber security risk. NIST released their new version of the framework V1.1 in April and reported that it has been downloaded over 205,000 times already. The previous version was downloaded only 262,000 times in four years.
“I learned that the [NIST] framework is extremely versatile and can be used on many different fields of business.” NIST released many new success stories to illustrate how diverse organizations use the framework to improve their cybersecurity risk management. These testimonials come from Universities, hospitals and international companies. For example, the University of Pittsburg explained that the NIST framework had streamlined their documentation process, increased awareness of security risks and compliance issues across departments, and centralized their security.
What should you know about the NIST Framework?
“There is a large number of subcategories within the NIST Framework; some of these subcategories relate specifically to fields of work/business", said Anirudh. Some of the categories mentioned include risk management, data security, detection processes, communications, and recovery planning. There are 23 categories and 97 subcategories in all.
“One of the main benefits of NIST is that it can help streamline communication about cybersecurity for large organizations. One of the success stories discussed was a large Japanese communications company. The NIST framework assisted them in identifying weaknesses during acquisitions of English-speaking companies without the burden of the language barrier.”
The framework is voluntary, so each organization can implement it as they see fit. The framework core is designed to be intuitive, allowing all parties to use it whether they are technical or not. Organizations can use the process outlined to create a roadmap to address cybersecurity risk while observing best practices for regulatory requirements as suitable to their industry.
One step in your path to being cyber secure
“Implementing the framework is just a step towards compliance with any law or regulation or policy”. Anirudh reminds us. “Compliance is an ongoing activity that requires constant actions. Implementing a framework does not mean that your organization is compliant or secure. The framework should act as a foundation for cybersecurity, not an end-all solution. Companies that implement a NIST framework need to understand that risk is difficult to quantify. A breach of data has a different effect on the business (monetary, reputation, etc.) depending on the field. Even with a framework like this in place, risk analysis needs to be conducted on at least a yearly basis.”
By reviewing your risks on an annual basis at a minimum, you are able to identify new gaps in your security and address them quickly and efficiently according to your existing policies and procedures. If an incident occurs, you can review and update your policies and procedures at that time as well. Organizations may find hiring an outside consultant to perform their security risk analysis provides an unbiased perspective. You may find it helpful to have a consultant help you implement the NIST Cybersecurity framework to ensure you are comfortable with the process.
Ready to get started?