NIST hosted a CyberSecurity Risk Management Conference from November 8th through the 10th. The event was expanded and improved from previous NIST workshops, which were more government focused. Thus for this conference, they wanted the same spirit of gaining stakeholder input on the frameworks and general cybersecurity areas, but with a much greater attendance and feedback from the commercial space. With almost 1000 people in attendance and a large percentage outside of the Federal government, it was mission accomplished! Here are a few of the highlights:
The CSF is Gaining Widespread Acceptance
Probably the biggest thing that jumped out right from the beginning was that NIST estimates that currently 30% of the private sector is using the NIST cybersecurity framework (CSF) and that’s expected to grow to 50% by 2020. That is significant since version 1 was rolled out just four years ago. Further evidence is that according to their website, in the first six months since version 1.1 was released in April 2018, there were almost as many downloads (roughly 205,000) as the total of version 1.0 in the first four years (262,000)! There were several global organizations with US interests that were either using or moving to use the standard. A representative from Japanese telecom giant NTT spoke about their country’s use of both the CSF as well as the National Initiative for Cybersecurity Education (NICE) to help address the gaps in process and skills that many Japanese companies are struggling with.
CMMi Still Rules
Another interesting note was that the majority of organizations were still using the CMMi maturity levels vs. the CSF implementation tiers. Ad hoc feedback was that executives were familiar with maturity and that there was a difficulty explaining the components (eg. partial, risk-informed, repeatable, and adaptive) that made up the NIST tiers. NIST sees the levels as a common set of target outcomes vs. maturity. The rationale being that the tiers are more focused on reducing cyber risk and including the benefits of a cost-effective process or solution. They provided a case study where these target outcomes were preferred since they allowed flexibility in the approach.
Supply Chain is “Sexy”
With the emergence of Operational Technology and the Industrial Internet of Things (IIoT), a theme that pervaded some of the speakers was that it’s imperative to view supply chain security as an essential component of cybersecurity. “Supply chain is sexy again,” Jon Boyers of NIST said. “It’s good to receive the attention because it’s a hard problem.” Everyone is part of and dependent on product and service supply chains. The commercial industry also refers to this as Third-Party Vendor Risk management, with multiple partners potentially having access to core operations of the business. It has become more about the flow of information being expanded than just the flow of goods and services. Thus, with information crossing many boundaries, it was a hot topic.
Privacy on the Horizon
Currently, underway is an effort to create a privacy framework. According to Naomi Lefkovitz, Privacy Program Lead at NIST, privacy risk management is “understanding what the relationship is between privacy and cybersecurity and when they differ, what that means for privacy risk management.” The idea is to have a privacy framework much in the same vein as the cybersecurity framework, but not have to redo efforts. Currently, privacy is on the security team’s shoulders in many organizations—at a minimum for funding—since much of the fundamental processes are reliant on the underlying security processes and the challenges therein. “Privacy by design” (which looks for privacy to be interwoven throughout the system development process) was a common refrain. Organizations must design, operate, and use technology, while protecting personally identifiable information (PII) and yet still gain the benefits from advancing technologies such as mobile, social media, IoT, and artificial intelligence.
Metrics and Measures are Still a Challenge
First, let me start with a quick background since there was a discussion on what these terms mean: NIST defines metrics as, “tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and objective data supporting metrics.” In one of the breakouts, NIST is looking to potentially publish what to measure and how to make decisions on what got measured. It was a spirited debate that didn’t get very far. The last white paper from NIST on the subject was nine years ago, and it basically reviewed the problems with them, especially around selection, accuracy, and use. There was a lot of “it depends” in the session. What measures lead to better security? There are so many variables that this will be an interesting area to keep an eye on going forward to see how NIST will address this area.
It’s All Coming Together
There were certainly other topics that garnered significant attention, namely:
- Using FAIR (Factor Analysis of Information Risk) with the CSF
- Various industry perspectives and presentations
- NIST for small and medium business
- Breach response
- Risk Management Framework (RMF)
- Multiple Federal-centric discussions
It’s amazing how far NIST has come in making the framework(s) understandable and useful. One of the historic criticisms was that it was so thorough that it was virtually unreadable. The Cybersecurity Risk Management Conference, however, was a showcase for helping organizations of all sizes and flavors to better handle security, risk, and privacy.