Few adopt NIST cybersecurity guidelines, but that could change
High cost, no mandate keep numbers low, but small businesses and government contractors most likely to use framework
By Gary Stoller, ThirdCertainty
A new survey shows that most IT professionals believe the federal government’s NIST Cybersecurity Framework is “an industry best practice,” yet, to date, fewer than one-third have adopted it.
The survey of more than 300 IT and security professionals at organizations in various industries was conducted by Maryland-based cybersecurity company Tenable Network Security.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
Only 29 percent of respondents said their organizations have adopted the framework—guidance established two years ago by the National Institute of Standards and Technology to strengthen cybersecurity at banks, energy companies and other organizations critical to the nation’s infrastructure. Seventy percent, however, praised the framework of the Department of Commerce agency as an industry best practice.
Historically, CISOs (chief information security officers) have been hesitant to take full advantage of the NIST Cybersecurity Framework because of a high investment requirement and a lack of regulatory mandate,” says Ron Gula, Tenable Network Security’s CEO.
Such hesitancy, though, is changing, Gula says, “as organizations begin to shift their mind-set from moment-in-time compliance with frameworks like PCI DSS (Payment Card Industry Data Security Standard) to continuous conformance with the NIST Cybersecurity Framework.”
Tenable supplies technology that can automate NIST security controls.
Adoption numbers small, but growing
The survey’s finding of 29 percent adopting the NIST framework is consistent with data cited recently by the NIST. In February, the agency said that, according to the information technology research company Gartner, the framework is now used by 30 percent of U.S. organizations and that number is expected to be 50 percent by 2020.
Users include such “critical infrastructure giants” as Bank of America, U.S. Bank, Pacific Gas & Electric, Intel, Apple and Walgreen’s, the NIST says. The Italian government, according to the NIST, also is using the framework “as the foundation” for its cybersecurity guidelines.
Adam Sedgewick, NIST’s senior IT Policy adviser, believes that a 29 percent adoption rate—rising to 50 percent over the next few years, if Gartner’s projection plays out—is a “very good sign of progress.”
“NIST anticipates adoption will continue to increase over time,” Sedgewick told ThirdCertainty. ”It is important to note that the NIST Framework is not competing with other approaches; it was designed to leverage and build off of existing standards and best practices.”
The NIST framework can help companies determine “which activities are most important to assure critical operations and service delivery,” Sedgewick says. That, in turn, can help organizations of all sizes “prioritize investments and maximize the impact of each dollar spent on cybersecurity.”
There also can be a halo effect with suppliers and contractors. “Organizations also can readily use the framework to communicate a current or desired cybersecurity posture between a buyer or supplier, potentially strengthening the security of their supply chains,” Sedgewick points out.
For companies considering embracing NIST guidelines, it often comes down to a cost vs. benefit calculation. Tenable’s survey also found that more than half of respondents whose organization currently uses or plans to use the NIST framework said the level of investment needed to fully conform with the framework was high.
The high cost and the lack of regulatory requirement means many organizations that have adopted the framework do not implement all of its recommendations, Tenable Network Security says.
Sixty-four percent of respondents at organizations using the framework reported implementing some, but not all, of the NIST-recommended controls. Similarly, 83 percent of organizations that plan to adopt the framework in the next year said they would adopt just some of the controls.
An organization can use the framework, the NIST says, “to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”
Education, health care sectors drag feet
Organizations in the banking and finance industries are the ones most reliant on security frameworks, the Tenable Network Security survey found. Only 77 percent of respondents in the education industry and 61 percent in the health care industry said they had a security framework in place.
Ninety percent of respondents at companies with more than 10,000 employees said their companies have adopted a security framework, compared with 77 percent of respondents at companies with fewer than 1,000 employees.
John Pescatore, director of emerging security trends at SANS, which provides security training and certification, says the NIST framework acknowledges that most businesses and all government agencies are subject to, or using, a long-existing security framework such as PCI, NERC or HIPAA.
“So, the only companies who will gain from the NIST framework,” he says, “are businesses that didn’t already have a framework—mostly small businesses or small numbers of large, non-publicly traded companies—or companies required to do so by terms in government contracts.”
Pescatore says the government “can and should use its buying power” to increase overall cybersecurity.
Rather than create another framework, the government should focus on elements of existing frameworks “proven to reduce the risk of real-world attacks,” he says.
The Australian Signals Directorate—the country’s equivalent to the U.S. National Security Agency—has taken such an approach and “produces quantitative and huge reductions in attack success,” according to Pescatore.
Stories related to cybersecurity and NIST framework :
Steps for using Uncle Sam’s framework for cybersecurity
Industry experts weigh in on Obama’s cybersecurity blueprint
Managed security services help SMBs take aim at security threats