Five Things CSOs Need to Know About the First NIST Cybersecurity Workshop

President Obama recently issued a Presidential Executive Order on Cybersecurity (PO 13636), which sent a wave of buzz throughout the industry. I attended the first National Institute of Standards and Technology (NIST) request for information (RFI) workshop as a representative to begin developing the NIST cybersecurity framework for implementation.

There are three goals guiding this process, and over the course of the event we got a solid start toward achieving these deliverables:

1. Identify existing cybersecurity standards, guidelines, frameworks and best practices applicable to increasing the security of critical infrastructure sectors and other interested entities.
2. Specify high-priority gaps for which new or revised standards are needed.
3. Collaboratively develop action plans by which these gaps can be addressed. The development process for this action plan will have requisite stages for continuing engagement with the owners and operators of critical infrastructure and other industry, academic and government stakeholders.

Five Key Takeaways

What do NIST and a new framework for cybersecurity mean to the private sector? It’s a clear sign that cybersecurity has moved from obscure awareness to mainstream importance. This government mandate is reflecting the need to address vulnerabilities in our cybersecurity infrastructure—both in the private and public sector.

Below I’ve detailed five key NIST workshop takeaways for any CSO:

• Our approach to cybersecurity, risk and threat management must evolve to meet a heightened new “normal” for security challenges. Each organization needs to know their enemy, know the threat and be prepared to the meet the challenges of a mobile, always-connected workforce.
• We must change behaviors, actions and the way we define the problem. The new norm for cyber intrusions comes in the form of persistent threats and data theft. We need to examine and measure the threats, risks and the ultimate business value to understand the impact of this new paradigm.
• CSOs and CISOs are struggling with how to educate the executive suite about the problem. Internal communication and crisp messaging are paramount when explaining the need for protection (here’s a link a blog post with a few tips).
• This new framework is a down payment on the cybersecurity defense program. It needs to take into consideration both foreign and domestic needs.
• Public and private sector ownership is critical. As industry leaders, we own the problem and can make recommendations on the most effective standards.

Now that the April 8th submission deadline has passed, we will reconvene in subsequent scheduled working sessions. During these meetings, we will again roll up our sleeves and put these RFI session ideas into the actual cybersecurity framework.

Stay tuned for more insight on the NIST process. Feel free to reach out to me directly at csos@websense.com