In part one of our exclusive interview with Patrick Gallagher, Director of the Department of Commerce’s NIST, he provides us with an overview of the cybersecurity framework that he is heading. The framework is based off of public and private best practices as directed by President Obama’s executive order. In the second half of this interview, we discuss mandated standards versus a voluntary framework, educating organizations of cyber gaps in security and securing buy-in from senior decision makers.
Q: Currently, the framework is voluntary. Wouldn’t mandated standards or best practices be more effective?
A: Not necessarily. The U.S. system of voluntary standards works because businesses have a stake in developing them, and they work together to ensure the standards are aligned with business needs and processes. As an example, most product safety standards in the United States are fully managed by industry. We’ve seen that industry is quite capable of adopting muscular conformity assessment tools to assure themselves that they are complying with their own standards and protocols – addressing performance issues themselves.
Fundamental to the approach of the framework is maintaining the ability for our U.S. companies to be competitive worldwide and to ensure that this framework can be accepted globally. While all governments have an interest in protecting their citizens, they also have an interest in avoiding fragmented and unpredictable rules that frustrate innovation, the free flow of information, and the broad commercial success of the online environment. Businesses know their needs, know their technologies and challenges, and are in the best position to solve these challenges. Our role is to bring everyone together to facilitate the conversation.
Eventually, we want industry to take ownership of the framework and update it themselves, ensuring it will be dynamic and evolving with the threats. If they identify areas where new or improved standards are needed, NIST is here to support the technical quality of those standards.
Q: If the status quo is based on voluntary adoption of standards and best practices and there are many current gaps in protection from cyber attacks, how will NIST issuing this new framework spur increased voluntary compliance and implementation of these techniques?
A: The initial framework will have two characteristics; it will show us where we have a good base of existing standards and best practices, and where we have gaps. This process is revealing those gaps and bringing industry together to agree on how to prioritize them, so the framework will provide an action list for the future. If we can call attention to the gaps and get industry working on them together, that’s a powerful outcome.
The framework needs to be an ongoing, industry-intensive effort to ensure it keeps up with changing technology and changing threats, and aligns with business needs and practices. If good cyber security performance becomes equivalent to good business, industry will use it. It is becoming much more clear that this is an issue that affects their bottom lines, their global competitiveness, and in some cases, their very ability to operate.
Q: How will the framework help companies ensure their senior leaders are fully aware of their organization’s cyber risks and how they are managed in relation to their overall risk environments?
A: At our July workshop, we gained consensus for including in the framework a section for senior executives and others on using this framework to evaluate an organization’s preparation for potential cybersecurity-related impacts on their assets and on the organization’s ability to deliver products and services. By using this framework, senior executives can manage cybersecurity risks within their enterprise’s business plans and operations. I don’t underestimate the importance or the magnitude of the task in raising awareness among the most senior executives across many sectors, and this will require a sustained communications effort that many stakeholders will need to carry out in conjunction with release of the framework.
Q: Anything else to add?
A: Developing this Cybersecurity Framework is a difficult, complex task. We need the full support and participation of all sectors of business and industry providing critical infrastructure to do this right.
Even if a company or other organizations has not been involved in this process so far, I invite them to look hard at their own cybersecurity best practices and protections and see what they may have to bring to the table. Then let us hear about them, and consider joining us in Dallas in September. Our economy – and our overall security — depends on reliable, secure cyber systems. Help us to make this framework as useful as possible and we’ll all benefit.