Ten years ago, back in 2013, breaches were hot topics that seemed to catch everyone’s interest. Most notably, Snowden’s National Security Administration (NSA) leak was top of every news station, magazine, and newspaper. Breaches were the hot topic over the next few years as Sony, eBay, and the Internal Revenue Service fell victim.
But now, breaches similar in scope and size to the ones above seem to make headlines for — at most — just a day or two. After that, certain reporters may cover and investigate specific outcomes, but the general public’s focus does not linger on them anymore. Psychiatrists may say that’s because people have more stimulation and lower attention spans, but I think it’s mainly that breaches are just the cost of doing business now. The frequency of breaches has eroded the impact they have on companies, but enterprises must still take action to prevent and resolve these threats.
Specifically, I think the National Institute of Standards and Technology (NIST) Cybersecurity Framework is where enterprises are rightfully looking to follow guidance on making those changes. NIST has been focusing on cybersecurity for quite some time. Its first framework was released in 2014, when notable breaches seemed to be peaking in the public’s eye. While NIST is well-respected, the private sector has yet to overwhelmingly adhere to its framework — partially because companies aren’t punished for not doing so, and also because there are no relevant certifications yet.
Powerful, Not Regulatory
NIST is specifically not an authority. It is a nonregulatory agency in the US government, which makes it powerful from a research and knowledge perspective — but not regulatory. Its position allows it to build cybersecurity frameworks on scientific and non-biased points of view, but the agency cannot mandate organizations comply with its guidance. This allows for a fluid landscape as NIST continually looks for advancements, complexities, or changes in the threat landscape to bring into its framework of best practices.
Enterprises need to begin actively using the NIST Framework in their systems to better protect the overall environment. Unlike federal agencies that can be penalized for not incorporating the NIST Framework, private businesses need to be more willing and focused on implementing it. It does take time and resources, especially as it is continually updated, but private businesses must take responsibility for being good cybersecurity stewards by adopting the NIST Framework.
Certified by NIST?
Whether your company is B2B or B2C, having the right certifications can make the difference on whether you receive a new contract or partner. Certification shows that your company is not only focused on the client’s product but also follows guidelines that support more safe, accountable, and reliable practices.
This is why I think for NIST to have a larger footprint in the private sector, there needs to be a NIST certification awarded based on how well an organization integrates its guidance. It could even follow how the International Organization for Standardization (ISO) declares specific standards, where ISO 9001 (Quality Management System) differs from ISO 27001 (Information Security Management System), with different certifications based on a company’s specific compliance.
That said, NIST does not have the time and staff to take on such an endeavor. And it will require yet another audit of your company’s system. But I truly believe that if companies take the time to allow a third party to rate their cybersecurity frameworks in comparison to NIST’s framework, it will improve the cybersecurity environment as a whole. Companies can lean more on NIST to do the research and unbiased monitoring of what can and needs to be done to protect overall security, and companies can implement that guidance in stride.
No Magic Answer
There is no magical, hidden piece of the puzzle that NIST would necessarily uncover if more enterprises incorporate its cybersecurity framework into their systems. However, in a tech industry that talks about collaboration and using open source to improve its offerings, being open to follow NIST’s directions seems promising.
Treating the NIST Framework more like a requirement, even without true authority or penalty, and viewing its stamp of approval as a highly respected certification will enable the security sector to move forward together.