About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit www.isalliance.org or 703-907-7090.
WASHINGTON, D.C.) – The Internet Security Alliance and the FAIR Institute called on the National Institute of Standards and Practices (NIST) to convene a process similar to that which resulted in the creation of the NIST Cybersecurity Framework (CSF), but this time focusing on implementation of the CSF.
According to the joint filing, a useful outcome of the process would be integrating NIST CSF, launched in 2013, with subsequent work the private sector has developed since, including the Handbook for Cyber Risk Management created by the National Association of Corporate Directors, and the FAIR model, the standard quantitative model for information security and operational risk.
The joint filing suggests that, while the NIST CSF is a leading eff ort to advance enterprise cyber security, a new process
is needed to fulfill the requirements of Executive Order 13636 which gave rise to the CSF. In particular, the filing suggests the cost effectiveness of the CSF needs to be demonstrated. The ISA-FAIR Filing states: “No organization wants to be the victim of cyber attacks. Nonetheless, for the private sector—owning 80%-90% of cyber infrastructure and operating under a mandate to maximize shareholder value—the cybersecurity risk management calculus is inherently economic. If use of the CSF can be demonstrate d as cost effective, regulations will not be required. Organizations naturally do what is cost effective.
However, simply asserting that the CSF is cost effective is unlikely to persuade entities not using the CSF to adopt it.”
The filing cites research by the Conference Board, which describes how cybersecurity can be viewed as a pyramid, integrating board, senior management, and operational activities. Additional research by PWC is cited, illustrating how the NACD Handbook for corporate boards has genera ted successful cybersecurity change and how the FAIR model can be used to integrate economics into a risk management effort which is complimentary to the NIST CSF.
ISA and FAIR suggest a NIST process focused on CSF integration with these models could help build a sustainable cyber risk management program that is flexibly applied to individual entities with unique cyber risk profiles. While the filing acknowledges the difficulty in developing metrics for cybersecurity, it rejects the notion that such metrics are impossible, and cites their necessity:
“We will concede that just as absolute security will not be achieved, perfect measurements also will be elusive. This lack of perfection, endemic to all social sciences, is no excuse for not trying to dev elop a useful mechanism to assist organizations in applying elements of the Framework most useful and cost effective for their purposes. Developing this mechanism is critical for the maintenance of the voluntary model defined in EO 13636.”