From Framework to Application: Security Ratings and NIST

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage BitSight’s ratings to drive better risk management through the lens of the NIST framework.

While the mega-breaches affecting retailers, healthcare organizations, and others continue to grab headlines, some cyber security threats and vulnerabilities are largely overlooked. One such issue is the security problems that affect our nation’s critical infrastructure. This infrastructure includes all virtual and physical assets and systems that are crucial to daily functioning of our way of life, or, as the Department of Homeland Security puts it, “We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.”

Though it is hard to quantify the full extent of cyber threats to critical infrastructure, one Ponemon survey found that 70% of critical infrastructure firms had been breached in the last year. In order to address these issues, government officials and agencies government official and agencies have been looking for solutions to the growing problem of data security within the nation’s critical infrastructure. In February 2013, President Obama signed Executive Order 13636, mandating that all entities that fall within the nation’s critical infrastructure must adhere to a new cybersecurity framework put forth by National Institute of Standards and Technology (NIST). This framework provides five key core framework functions along with more specific categories that provide references to best practices from other guidelines, such as the Control Objectives for Information and Related Technology (COBIT), the ISA99 Industrial Automation and Control Systems Security, among others.

While voluntary for organizations that are not part of the nation’s critical infrastructure, there has been a concerted effort to encourage widespread adoption of this framework. NIST notes that an organization “can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.” It’s clear that this framework is not being pushed as something to overhaul a company’s security programs, yet rather encourage better risk management practices within an organization by adopting key best practices. The private sector is beginning to recognize this with firms such as PwC actively promoting the adoption of the framework and noting that it will likely be used as a standard for future legal rulings.

Outside-in ratings of a company’s security performance can directly address key components of the NIST guidelines. This blog series will look at how Security Ratings can address key aspects of the five Framework Functions: Identify, Protect, Detect, Respond, Recover. By gaining insight into security performance with quantitative ratings, business can promote security awareness, identify threats, continuously monitor networks and more. By adopting this Framework in conjunction with outside-in, objective ratings, businesses can move to better risk management of growing cyber threats.

Part 2 In This Series | From Framework to Application: Identify with BitSight