Few adopt NIST cybersecurity guidelines, but that could change

High cost, no mandate keep numbers low, but small businesses and government contractors most likely to use framework

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A new sur­vey shows that most IT pro­fes­sion­als believe the fed­er­al government’s NIST Cyber­se­cu­ri­ty Frame­work is “an indus­try best prac­tice,” yet, to date, few­er than one-third have adopt­ed it.

The sur­vey of more than 300 IT and secu­ri­ty pro­fes­sion­als at orga­ni­za­tions in var­i­ous indus­tries was con­duct­ed by Mary­land-based cyber­se­cu­ri­ty com­pa­ny Ten­able Net­work Security.

 Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

Only 29 per­cent of respon­dents said their orga­ni­za­tions have adopt­ed the framework—guidance estab­lished two years ago by the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy to strength­en cyber­se­cu­ri­ty at banks, ener­gy com­pa­nies and oth­er orga­ni­za­tions crit­i­cal to the nation’s infra­struc­ture. Sev­en­ty per­cent, how­ev­er, praised the frame­work of the Depart­ment of Com­merce agency as an indus­try best practice.

His­tor­i­cal­ly, CISOs (chief infor­ma­tion secu­ri­ty offi­cers) have been hes­i­tant to take full advan­tage of the NIST Cyber­se­cu­ri­ty Frame­work because of a high invest­ment require­ment and a lack of reg­u­la­to­ry man­date,” says Ron Gula, Ten­able Net­work Security’s CEO.

Ron Gula, Tenable Network Security CEO
Ron Gula, Ten­able Net­work Secu­ri­ty CEO

Such hes­i­tan­cy, though, is chang­ing, Gula says, “as orga­ni­za­tions begin to shift their mind-set from moment-in-time com­pli­ance with frame­works like PCI DSS (Pay­ment Card Indus­try Data Secu­ri­ty Stan­dard) to con­tin­u­ous con­for­mance with the NIST Cyber­se­cu­ri­ty Framework.”

Ten­able sup­plies tech­nol­o­gy that can auto­mate NIST secu­ri­ty con­trols.

Adop­tion num­bers small, but growing

The survey’s find­ing of 29 per­cent adopt­ing the NIST frame­work is con­sis­tent with data cit­ed recent­ly by the NIST. In Feb­ru­ary, the agency said that, accord­ing to the infor­ma­tion tech­nol­o­gy research com­pa­ny Gart­ner, the frame­work is now used by 30 per­cent of U.S. orga­ni­za­tions and that num­ber is expect­ed to be 50 per­cent by 2020.

Users include such “crit­i­cal infra­struc­ture giants” as Bank of Amer­i­ca, U.S. Bank, Pacif­ic Gas & Elec­tric, Intel, Apple and Walgreen’s, the NIST says. The Ital­ian gov­ern­ment, accord­ing to the NIST, also is using the frame­work “as the foun­da­tion” for its cyber­se­cu­ri­ty guidelines.

Adam Sedgewick, NIST’s senior IT Pol­i­cy advis­er, believes that a 29 per­cent adop­tion rate—rising to 50 per­cent over the next few years, if Gartner’s pro­jec­tion plays out—is a “very good sign of progress.”

NIST antic­i­pates adop­tion will con­tin­ue to increase over time,” Sedgewick told Third­Cer­tain­ty. ”It is impor­tant to note that the NIST Frame­work is not com­pet­ing with oth­er approach­es; it was designed to lever­age and build off of exist­ing stan­dards and best practices.”

The NIST frame­work can help com­pa­nies deter­mine “which activ­i­ties are most impor­tant to assure crit­i­cal oper­a­tions and ser­vice deliv­ery,” Sedgewick says. That, in turn, can help orga­ni­za­tions of all sizes “pri­or­i­tize invest­ments and max­i­mize the impact of each dol­lar spent on cybersecurity.”

Influ­ence spreads

There also can be a halo effect with sup­pli­ers and con­trac­tors. “Orga­ni­za­tions also can read­i­ly use the frame­work to com­mu­ni­cate a cur­rent or desired cyber­se­cu­ri­ty pos­ture between a buy­er or sup­pli­er, poten­tial­ly strength­en­ing the secu­ri­ty of their sup­ply chains,” Sedgewick points out.

For com­pa­nies con­sid­er­ing embrac­ing NIST guide­lines, it often comes down to a cost vs. ben­e­fit cal­cu­la­tion. Tenable’s sur­vey also found that more than half of respon­dents whose orga­ni­za­tion cur­rent­ly uses or plans to use the NIST frame­work said the lev­el of invest­ment need­ed to ful­ly con­form with the frame­work was high.

The high cost and the lack of reg­u­la­to­ry require­ment means many orga­ni­za­tions that have adopt­ed the frame­work do not imple­ment all of its rec­om­men­da­tions, Ten­able Net­work Secu­ri­ty says.

Six­ty-four per­cent of respon­dents at orga­ni­za­tions using the frame­work report­ed imple­ment­ing some, but not all, of the NIST-rec­om­mend­ed con­trols. Sim­i­lar­ly, 83 per­cent of orga­ni­za­tions that plan to adopt the frame­work in the next year said they would adopt just some of the controls.

An orga­ni­za­tion can use the frame­work, the NIST says, “to deter­mine activ­i­ties that are most impor­tant to crit­i­cal ser­vice deliv­ery and pri­or­i­tize expen­di­tures to max­i­mize the impact of the investment.”

Edu­ca­tion, health care sec­tors drag feet

Orga­ni­za­tions in the bank­ing and finance indus­tries are the ones most reliant on secu­ri­ty frame­works, the Ten­able Net­work Secu­ri­ty sur­vey found. Only 77 per­cent of respon­dents in the edu­ca­tion indus­try and 61 per­cent in the health care indus­try said they had a secu­ri­ty frame­work in place.

Nine­ty per­cent of respon­dents at com­pa­nies with more than 10,000 employ­ees said their com­pa­nies have adopt­ed a secu­ri­ty frame­work, com­pared with 77 per­cent of respon­dents at com­pa­nies with few­er than 1,000 employees.

John Pesca­tore, direc­tor of emerg­ing secu­ri­ty trends at SANS, which pro­vides secu­ri­ty train­ing and cer­ti­fi­ca­tion, says the NIST frame­work acknowl­edges that most busi­ness­es and all gov­ern­ment agen­cies are sub­ject to, or using, a long-exist­ing secu­ri­ty frame­work such as PCI, NERC or HIPAA.

So, the only com­pa­nies who will gain from the NIST frame­work,” he says, “are busi­ness­es that didn’t already have a framework—mostly small busi­ness­es or small num­bers of large, non-pub­licly trad­ed companies—or com­pa­nies required to do so by terms in gov­ern­ment contracts.”

Pesca­tore says the gov­ern­ment “can and should use its buy­ing pow­er” to increase over­all cybersecurity.

Rather than cre­ate anoth­er frame­work, the gov­ern­ment should focus on ele­ments of exist­ing frame­works “proven to reduce the risk of real-world attacks,” he says.

The Aus­tralian Sig­nals Directorate—the country’s equiv­a­lent to the U.S. Nation­al Secu­ri­ty Agency—has tak­en such an approach and “pro­duces quan­ti­ta­tive and huge reduc­tions in attack suc­cess,” accord­ing to Pescatore.

Sto­ries relat­ed to cyber­se­cu­ri­ty and NIST framework :
Steps for using Uncle Sam’s frame­work for cybersecurity
Indus­try experts weigh in on Obama’s cyber­se­cu­ri­ty blueprint
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats


Posted in Cybersecurity, Featured Story