(WASHINGTON, D.C.) – All or part of the below statement can be attributed to Larry Clinton, President and CEO of the Internet Security Alliance (ISA).
“Since the NIST Cybersecurity Framework (CSF) was released in 2013, ISA has been calling for it to fulfil the requirements set out in the Presidential Executive Order that generated its creation — that it be cost-effective, prioritized and supported by appropriate incentives. With the reformatted CSF v1.1, NIST has taken a significant step in that direction.
We see a fundamental shift in emphasis in the newest NIST proposal away from simply promoting an undefined notion of ‘use’ of the CSF toward the much more powerful concept of effective use of the Framework. This change of direction is critical if we are to maintain the vision of the Presidential Order, and the CSF itself, as a voluntary model for industry. Businesses are not going to adopt and continue to use the Framework’s standards or practices simply because a government agency says they exist. Businesses need to know these techniques are effective and cost-effective so they can prioritize their investments. This is impossible without metrics to judge cost-effectiveness.
The current CSF v1.1 proposal continues the enlightened process of blending government initiatives with private sector innovation to create a more sustainably secure cyber system. For example, since the unveiling of the original NIST CSF, the private sector has created a set of new analytical tools that can assist companies in measuring the impact of elements of NIST, including the economics of the benefit based on their unique threat posture, business plan etc. NIST’s CSF v1.1 proposal moves away from the former notion of a generalized metric, which could be misunderstood as a regulatory template, and instead proposes a new process on metrics that emphasizes the private sector innovations and their application to unique circumstances.
The new CSF v1.1 also acknowledges that it is ‘critical to examine the effectiveness of investments … understanding the relationship between organizational objectives and supportive cybersecurity outcomes,’ and that such measurements are beyond the scope of the Framework. However, as we point out in our comments, this finding aligns almost perfectly with the principles for corporate boards on cybersecurity laid out in the National Association of Corporate Directors Cyber-Risk Oversight Handbook on cybersecurity. Moreover, PWC has found such uses generate tangible cybersecurity improvements, including increased budget, better risk management, and helping to create a culture of security.
Moving toward a practical, non-regulatory metrics model and aligning it with the innovations and associated work being done in the private sector is a significant achievement and we congratulate NIST for this progress.”
About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit www.isalliance.org or 703-907-7090.