Even though adoption of NIST’s cyber security framework for critical infrastructure providers is currently voluntary, CIOs who opt to apply it to enterprise risk management practices may improve their ability to calibrate not just their organizations’ cyber risk, but also business risk more broadly, while more efficiently allocating the information security budget.
On February 12, 2014, the National Institute of Standards and Technology (NIST) released its “Framework for Improving Critical Infrastructure Cybersecurity,” a comprehensive approach to managing cyber security risk, aimed at critical infrastructure owners and operators.
The framework, which builds on existing standards, guidance, and industry-leading practices, was developed by NIST in response to President Barack Obama’s February 2013 executive order, “Improving Critical Infrastructure Cybersecurity.” Critical infrastructure comprises a range of industries, including power and utilities, financial services, telecommunications, chemicals, and food and agriculture. The number of cyber attacks in these sectors has risen in recent years (in some cases dramatically), and the threat facing them is documented in numerous reports, from the U.S. House of Representatives’ Energy & Commerce Committee’s “Electric Grid Vulnerability” report to Deloitte Touche Tohmatsu Limited’s 2012 Global Financial Services Industry Security Study.
Carey Miller, a director with Deloitte & Touche LLP’s Cyber Risk Services practice, says NIST’s cyber security framework proposes dramatic changes to the way some critical infrastructure companies currently measure and manage cyber security risk. “Where some approach it primarily from a technology perspective, the framework encourages organizations to look at cyber security risk across the people, process, and technology dimensions of their enterprises, just as they would with financial, safety, and operational risks,” she says.
Although critical infrastructure owners and operators are not required to adopt the NIST cyber security framework, those who do stand to benefit. Implementing the framework should give them a clearer idea of their cyber risk profile, according to Miller. Armed with that knowledge, they may make more informed risk management decisions and proactively identify the steps required to reduce threats and achieve their cyber security risk management goals.
Moreover, by identifying a company’s cyber risk profile, the framework can help elevate the issue of cyber security to the CFO, CEO, and board of directors, adds Miller. “The framework is intended to illuminate comprehensive cyber impacts; not just technical, but the legal, operational, and financial implications of critical infrastructure companies’ cyber security posture—top of mind issues for boards and CEOs,” she says.
JR Reagan, a principal with Deloitte & Touche LLP’s Cyber Risk Services practice, says adopting the NIST cyber security framework may even help companies better manage their legal exposure. “In the event an organization that adopted the framework experiences a breach, the organization ought to be better positioned to demonstrate 'due care,' that it made a good faith effort to implement the framework and its industry-leading cyber security practices and guidelines,” he says.
Given the framework's potential benefits, Miller and Reagan believe critical infrastructure companies should adopt the framework, and they recommend actions CIOs can take now to begin aligning their organizations’ cyber security risk management practices with it.
Conduct a self-assessment. The framework highlights five high-level cyber security functions (identify, protect, detect, respond, and recover), along with a variety of related practices and activities divided into categories and subcategories, respectively. For example, the “Protect” function includes the categories of access control, awareness and training, data security, and information protection. The subcategories associated with data security, for example, include confirming data at rest is protected, data in motion is secured, and assets are formally managed throughout removals, transfers, and disposition.
Since most critical infrastructure providers are likely to follow at least some of the prescriptions within the various functions, categories, and subcategories, CIOs can start by identifying the elements of the framework their organizations already follow and the areas where they need to shore up their capabilities, according to Miller. “Organizations should have at least basic capabilities implemented in each function, category, and subcategory,” she says.
A self-assessment can help companies identify and prioritize gaps in their cyber security risk management practices. It also positions them to better grasp their current risk profile and zero in on actions that will help them reach their desired state.
Build consensus. In parallel with the self-assessment, CIOs can promote adoption of the framework inside their organizations by tying it to their enterprises’ existing business and cyber security risk management programs, according to Reagan. “The NIST cyber security framework is intended to complement, rather than replace, an organization’s existing risk management practices,” he says. “Leveraging it alongside the risk management program approved by the C-suite and board can facilitate adoption.”
Reagan adds that the C-suite and board of directors will want to know how the framework can reduce their organizations’ risk and if it can be accomplished cost effectively—two questions essential for CIOs to answer. “The detailed approach to risk management that the framework offers can help companies proactively monitor, identify, assess, and respond to cyber security risks,” he says. “Adopting the framework may, in fact, lead to more effective cyber security spending because it gives companies a risk-based mechanism for making cyber security decisions and prioritizing investments.”
Focus on continuous improvement. The NIST cyber security framework lays out four implementation “tiers” that describe the degrees of rigor and sophistication associated with an organization’s risk management practices. The tiers include “partial,” where an organization manages risk in an ad-hoc and reactive manner; “risk informed,” where an organization understands cyber security risk but lacks an enterprisewide approach to managing it; “risk informed and repeatable,” which applies to enterprises with a formal, integrated approach to cyber security; and “adaptive,” where an organization has an enterprisewide approach to managing cyber security risk that it continuously improves based on lessons learned and predictive indicators.
“Implementing the NIST cyber security framework isn’t a ‘check-the-box’ exercise,” says Reagan. “It’s intended to help organizations reach their desired level, then keep improving.”
Collaborate with industry peers. Working with industry colleagues and government organizations can help CIOs anticipate and understand emerging cyber threats. “Many companies share cyber threat information through informal networks and regular meetings,” says Reagan. “Establishing those lines of communication is essential to a CIO’s ability to peer over the horizon, anticipate the next threat, and formulate a response.”
To that end, he recommends companies consider participating in information sharing and analysis centers (ISACs). Reagan acknowledges that ISACs have been more successful in some industries, like financial services, than in others. For industries where ISACs have less traction, Reagan suggests companies give them another chance and try to make them more effective. ISACs that serve state and local governments are also emerging.
*****
Miller believes the cyber security framework provides critical infrastructure owners and operators with an unprecedented opportunity to begin speaking the same language about cyber risks and begin using a common mechanism to address them. “The potential benefits of adopting the framework should outweigh the costs,” she says. “From elevating the topic of cyber security to the board to having a risk-based mechanism for prioritizing security investments, there are countless ways critical infrastructure companies can realize its value—all while bolstering national security.”