Internet Security Alliance (ISA) Comments to the National Institute of Standards and Technology on “Developing a Framework to Improve Critical Infrastructure Cybersecurity”

April 8, 2013

Current Risk Management Practices:

NIST solicits information about how organizations assess risk; how cybersecurity factors into that risk assessment; the current usage of existing cybersecurity frameworks, standards, and guidelines; and other management practices related to cybersecurity. In addition, NIST is interested in understanding whether particular frameworks, standards, guidelines, and/or best practices are mandated by legal or regulatory requirements and the challenges organizations perceive in meeting such requirements. This will assist in NIST’s goal of developing a Framework that includes and identifies common practices across sectors.

“Current Risk Management Practices” Section Questions and ISA Responses:

1. What do organizations see as the greatest challenges in improving cybersecurity practices across critical infrastructure?

ISA Response:

A. Research Consistently Shows the Biggest Challenges are Economic.

There has been a fair amount of research on the question of what is the greatest challenge to the improvement of cyber security, and the data points in one direction: the single biggest obstacle to cyber security improvement across critical infrastructure (and non-critical infrastructure) is cost. Among the empirical research that has documented this fact are the large-scale studies conducted by PricewaterhouseCoopers, CIO Magazine, and CSIS & McAfee.

Using an entirely different methodology, in 2009, the President tasked Melissa Hathaway together with members of the White House and the National Security Council to do a comprehensive assessment of the roles of both the public and private sectors in cyber security, which reported that “many technical and network management solutions that would greatly enhance security already exist in the marketplace but are not always used because of cost or complexity.”

Accordingly, the empirical finding that cost is the greatest challenge to securing critical cyber systems demands that a greater analysis of the economics of cyber security be completed. When advanced analyses have been done, they indicate that the issues that must be addressed to develop a sustainably secure cyber system go well beyond the laudable (but ultimately insufficient) attempt to promulgate a framework of standards as a solution to our cyber threats. (Click the link to read the whole filing)

| Downloadable Copy (PDF)