Recently, there has been a lot of publicity regarding the new national cyber security plan and the billions of dollars pledged to its various parts, including the appointment of the United States' first ever federal chief information security officer (CISO). We understand in large part that the monies “pledged” are goals and aspirations. They are subject to the whims of Congress, which only begrudgingly passed CISA after seven painful years in 2015. Now let's be clear: large budgets are nice. They afford us a certain degree of flexibility insofar as our investment options are concerned. But large budgets aren't without their faults. Copious amounts of money can beget purchases that are sometimes not well thought out. Purchases that are wasteful. Purchases of equipment that are already out-of-date by the time they are built. Organizations must carefully select what to invest in these days, especially given the continuously evolving computer threat landscape. With that in mind, a discussion that revolves around your current cyber security posture is a great starting point for deciding where to allocate your budget. Some say they don't have time for conversation. To those who do, we urge you to make time. Reports note that cyber crime now costs the United States $445 billion per year. That's not an insignificant amount of money. With even a fraction of that amount, we could strengthen our universities' cyber security education and training programs and perhaps do away with our skills gap once and for all. Think of the possibilities. Clearly, organizations need to work towards limiting the annual costs of cyber crime, and that process begins with an realistic assessment of one's cyber security posture. But how can we effectively initiate such a discussion? How can we strengthen our defenses and hope to eradicate some instances of cyber crime? It might not seem possible. However, the National Institute of Standards and Technology (NIST) Cyber Security Framework (hereinafter referred to as “the Framework”) makes it so. Have you ever sat down and walked your IT team or C-Suite or board of directors through Identify, Protect, Detect, Respond, and Recover--the core elements of the Framework? If you have, you know that proactive change in the organization often follows. People start to remember the exact spots where and on what servers data is stored. They also begin to talk about introducing new employee training and awareness courses that focus on spearphishing attacks, or they bring up in conversation the need for email hardware devices that scrub suspicious attachments off of employees' emails. When we talk to clients about the Framework, we spend much of our time discussing new or emerging threats, like blended denial-of-service (DoS) attacks that combine the worst distributed denial-of-service (DDoS) offensives with ransomware or malware, or their current data protection policies. Almost always, we work together to come up with new strategies and new tools that they can use to better protect their data from tomorrow's threats. Conversations with our clients also tend to focus in on the importance of incident response planning and business continuity planning. The conversation goes something like this: “Assume you have been breached (or infected with ransomware). What do you do? How do you remediate the attack? How can you leverage pre-tested, already segmented back-up media in an effort to restore your network when you need it?" Major cities like New York City and Boston have similar types of conversations all the time about what they would do if they were attacked by terrorists. Organizations are no less vulnerable when it comes to digital threats. Enterprises need a common language that can facilitate plain-English conversations between directors, C-Suite executives, and IT professionals on how to do better protect business critical data. Fortunately, the NIST Cyber Security Framework provides an excellent starting point for these types of talks. If we are right, and if these discussions prove fruitful, don’t thank us. Thank the good people of the National Institute of Standards and Technology for giving us such an amazing tool. Happy Second Birthday to the NIST Framework.
About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. This article was co-authored by David Bisson. Title image courtesy of ShutterStock