Cybersecurity is a prevalent topic in the news today, with data breaches hitting the headlines every week. Not surprisingly, we are also seeing legislation in the U.S. and internationally designed to encourage companies to protect sensitive personal information. It is now more important than ever to have a cybersecurity framework, and one of the most popular is the National Institute of Standards and Technology, or NIST, cybersecurity framework.
Sabrina Serafin sits down with Brandon Sherman of our Nashville and Las Vegas PRG practices to discuss the basics of the NIST framework and why you should consider employing the framework to help prevent data breaches.
Managing Cyber Risk: Understanding the NIST Control Framework
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today we’re talking to Brandon Sherman, a Partner with Frazier & Deeter who specializes in providing risk assurance and consulting solutions. Besides managing cybersecurity risk, Brandon also leads the firm’s Nevada and Tennessee Process, Risk & Governance practices. Welcome to the podcast, Brandon.
Brandon: Hey, Sabrina. Thanks for having me.
Sabrina: Well, I’m happy to have you today, Brandon. Cybersecurity is a topic that we’re seeing over and over again in the news, with data breaches hitting the headlines every week. Not surprisingly, we’re also seeing more legislation, both in the United States and internationally that’s designed to get companies to protect sensitive personal information. It’s now more important than ever to have a cybersecurity framework, and one of the most popular is the National Institute of Standards and Technology’s NIST cybersecurity framework.
We’ve invited Brandon today to talk about cybersecurity and most specifically the NIST security framework. Brandon how did NIST, a non-regulatory agency, get involved with cybersecurity, and how did the framework come about?
Brandon: As you mentioned, Sabrina, NIST is an acronym for the National Institute of Standards and Technology, which is an agency within the US Department of Commerce that has been around since 1901. In 2013 President Obama issued an executive order which directed NIST to work with industry and commercial leaders to develop the Cybersecurity Framework. This framework led to the Cybersecurity Enhancement Act of 2014, which called on NIST to facilitate and support a voluntary, industry-led cybersecurity standard for best practices for critical infrastructure.
After NIST obtained input and collaboration with over 3,000 industry leaders, academia and government stakeholders, Version 1.0 of the framework came out in February, 2014. Although this framework was originally meant for critical infrastructure, it can help organizations of all types and sizes better understand, manage and reduce their cybersecurity risk. It can also assist in prioritizing cybersecurity resources and investments, and serves as a common language to address cyber risk management.
Sabrina: So how is the NIST framework comprised? What are the different areas within this particular framework?
Brandon: Well, the NIST framework is based on existing standards such as ISO, COBIT and PCI, and this framework can be downloaded at nist.gov. The NIST areas and details are mapped to the various IT frameworks I just mentioned as well. Our public company clients are seeing more scrutiny and questions internally from the boards and executives asking about cybersecurity, and also from the SEC and the PCAOB. This also applies to clients of all sizes; they’re being asked and vetted by their suppliers, their customers and other stakeholders about their cybersecurity program and what they’re doing about mitigating those risks. This NIST framework provides the standards and guidelines at all levels, even those not up to speed in IT and cyber terms, can relate to and understand.
Brandon: Within the NIST framework, there are five core functions.
First, what we see is “identify.” What are our critical assets? Where do all the data reside? What location? What clients and what third parties and contractors may have some data? Identify is number one.
Number two is “protect.” How do we protect these assets once we’ve identified them?
Three is “detect.” What mechanisms are in place to make us aware when something happens?
Four is “respond.” So what do I do if an incident does occur, what steps should I take? Who should I call, who do I notify?
Last, but not least, is “recover.” How do we get back to the normal course of operations?
So again, those five core functions, Sabrina, identify, protect, detect, respond and recover. Within those functions, there are 22 categories and 98 subcategories that provide more prescriptive guidance on these core functions, And again, that framework is downloadable at nist.gov; there’s actually an Excel spreadsheet that breaks down each of the functions and categories in more detail.
Sabrina: And that’s free to users, isn’t it?
Brandon: That’s right. Anyone can go to nist.gov and download not only the framework, but a number of resources and tools, and also some success stories that are out there throughout various organizations that have allowed NIST to publish their success stories along the way.
Sabrina: You’ve introduced the five core functions. Can you talk to us about how organizations are measured against the framework or the functions within it?
Brandon: Great question, Sabrina. NIST has established four Implementation Tiers, 1 through 4. And that helps companies have a standard to measure how mature their program is for each of the functions, as well as the different categories and subcategories. This is helpful to serve as a measuring stick, they can see where they currently are, where they want to go and also build a roadmap to bridge the gap between current state and future state.
Sabrina: So this framework is something that organizations can apply themselves, they don’t necessarily need an external party to make those evaluations?
Brandon: True, there’s a self-assessment that’s also available on nist.gov, and they have the resources that I mentioned, tutorials, guidelines. But really, an organization has to determine who within that organization will own the assessment. This is not just an IT initiative. It’s a company wide initiative. And what we’re seeing is that companies typically do need some advice and guidance from outside the organization. Firms like us, Frazier & Deeter, would be happy to help implement this framework.
Sabrina: Great point, Brandon. Now, here’s a question that’s often asked: Does adherence to the NIST framework guarantee security from data breaches?
Brandon: Unfortunately, there is no silver bullet. This framework does not guarantee security. However, it provides some context and a way to determine potential gaps in the current state of the cybersecurity program or lack thereof, which can also lead to identifying potential risks that can be addressed.
Sabrina: If someone’s interest is piqued, where should an organization start to implement the NIST framework?
Brandon: The first place I’d start is nist.gov. There is a self-assessment available. I’d also recommend reaching out to an advisor such as Frazier & Deeter to help guide you.
Sabrina: While many breaches are caused by failures within an environment, threats are constantly evolving. How does NIST plan to update the framework to adapt to the ever-changing cybersecurity landscape?
Brandon: Great question Sabrina, it seems like it is changing by the day, and NIST did come out with Version 1.1 in April of 2018. They also released earlier in 2019 the version 1.1 roadmap, so the framework was out April 2018, then the roadmap came out in 2019. This update provides some clarification on measurement and more detail and guidance on the self-assessment process, as well as expanding on topics such as identity access management, the Internet of Things or IoT, supply chain management and ERM, enterprise risk management. They also continue to point out that just obtaining the technology will not fix or improve your cyber program. This is people, process and technology. The what, how and who, if you will, and what we’re seeing is the people aspect, the “who” is the area most lacking.
There’s a shortage of talent in the cybersecurity field, and the workforce is a consistent challenge for most all companies in this area. Also, NIST has been focusing to push awareness of the framework globally, broader than just the US. They now offer the framework and related guidance in several languages. I know there’s a Spanish version, Italian, Arabic, Hebrew and Portuguese, just to name a few. But NIST is constantly meeting with other global standards groups to evolve the framework to include international standards. The biggest movement I’ve seen is that NIST has just issued a draft privacy risk management framework in light of GDPR and other US and state legislation that is anticipated in the privacy arena. So as I mentioned, this is an evolving framework based on current and anticipated cybersecurity and privacy rules.
Sabrina: Brandon thank you so much for being with us today and sharing your insights about NIST and cybersecurity in general. You’ve given our listeners some interesting concepts to consider for their organizations and great advice. Thank you for listening to Frazier & Deeter’s Culture of Compliance podcast, and please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.