January 20, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Virtually any proposed solution to the cybersecurity problem that begins with the phrase “All you have to do” …. is almost certainly wrong. Despite what some marketers of their secret formulas and special sauce may claim, cybersecurity is a difficult problem to address sustainably. To address cyber risk, you need to deal with extremely complicated technical systems interfacing with even more complicated technical systems which are under constant attack by extremely clever, often very well resourced and motivated actors who have little or no fear of substantial risk for themselves.

If cybersecurity was easy or generally profitable, the problem would already be solved.

For nearly a decade the US government has touted the use of the NIST Cybersecurity Framework (NIST CSF) as the answer to most cyber security problems and made it the core of most government cyber regulatory structures.  We, at ISA, have always been a big fan of NIST and especially the process used to develop it. In fact the first public formulation of what has come to be known as the NIST Cybersecurity Framework can be found in ISA’s 2008 white paper  “The Cybersecurity Social Contract which was also the first and most often cited source in President Obama’s signature policy paper “The Cyberspace Policy Review” released by the White House in 2009.

While the NIST CSF is undoubtedly a substantial contribution to the field, its status as a panacea and its centrality as the key to government policy is overstated. Frameworks like NIST are a necessary, but not sufficient portion of an effective cybersecurity program. Yet, “it’s easy, just follow NIST” is the implicit, sometimes explicit message often delivered along with the outdated assertion that simply following good hygiene – certainly a good thing to do– will provide security from harmful attacks.

In fact, exactly what it means to “follow NIST” has never been made clear.  Indeed, NIST itself has staunchly refused to use terms such as “comply with” NIST opting instead for the ambiguous “use NIST”

Moreover, the government has resolutely refused calls to test the NIST CSF for effectiveness and cost effectiveness as was called for in Presidential Executive Order 13636 which gave rise to the development of the NIST CSF. 

Meanwhile independent studies have found little basis for the government claims regarding NIST CSF effectiveness. ESI Thought Lab’s 2020 study found that a minority (42%) of companies found to be leaders in terms of NIST CSF compliance, also were leaders in terms of cybersecurity effectiveness. “ESI’s statistical finding confirms what the study’s in-depth interviews revealed “The numbers confirm what many CISO’s know: Firms need to go beyond NIST and other frameworks to secure their enterprises from escalating cyber-attacks.”

The cybersecurity problem is not simple, not is it the result of lack of awareness – there is hardly an adult left who doesn’t know there is a cybersecurity problem.  The lack of true understanding of the complicated issue is probably a bigger issue.

The assertion that better cybersecurity will make an enterprise more profitable while touted by multiple venders has little empirical evidence to back it up –its more wishful thinking than verified claim.  In fact, at this stage with the cyber problem now decades old it makes little sense to assert that cybersecurity is actually a profitable business decision in and of itself. If that was really the case, the world’s business community would have discovered it by now and responded by making their systems secure. The truth is, as we discussed in earlier posts, that much of digital economics is upside down.  We can’t solve an economic problem with technical operational fixes – although they too are necessary.  To truly address our ever-growing cybersecurity problem, we need a far broader of the problem and a more far-reaching solution.

Join the Rethink Cybersecurity Community click here