With cyber threats the new normal, organizations must put NIST best practices into play

Cybersecurity framework gives businesses of all sizes, sectors privacy, protection for internet traffic

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Put aside the cyber threats, which con­tin­ue to wors­en. All any com­pa­ny deci­sion-mak­er needs to do is pay heed to the inten­si­fy­ing reg­u­la­to­ry envi­ron­ment to under­stand that net­work secu­ri­ty has become a mis­sion-crit­i­cal oper­a­tional issue.

Con­sid­er that the Col­orado Divi­sion of Secu­ri­ties is imple­ment­ing 90 pages of new rules to clar­i­fy what finan­cial “bro­ker-deal­ers” and invest­ment advis­ers must do in order to pro­tect infor­ma­tion stored electronically.

That’s on top of the New York State Depart­ment of Finan­cial Ser­vices enforc­ing new cyber­se­cu­ri­ty rules for finan­cial ser­vices firms that wish to do busi­ness in the Empire State. And, of course, Europe is rolling out new pri­va­cy rules known as the Gen­er­al Data Pro­tec­tion Reg­u­la­tion, which will affect more than 4,000 U.S. com­pa­nies doing busi­ness in Europe, includ­ing many small and mid­size businesses.

Relat­ed arti­cle: Europe’s new pri­va­cy rules unaf­fect­ed by Brex­it vote

Edric Wyatt, Cyber­Scout secu­ri­ty analyst

And let’s not over­look loom­ing com­pli­ance stan­dards cov­er­ing data pri­va­cy and secu­ri­ty, such as the Pay­ment Card Indus­try Data Secu­ri­ty Stan­dard (PCI DSS) and the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) .

I recent­ly sat down with Edric Wyatt, secu­ri­ty ana­lyst at Cyber­Scout to dis­cuss the first step any organization—of any size and in any sector—can take to become more secu­ri­ty mature: Get cozy with the Nation­al Insti­tute of Stan­dards and Technology’s risk man­age­ment frame­work set forth in its NIST 800 series of doc­u­ments. (Full dis­clo­sure: Cyber­Scout under­writes Third­Cer­tain­ty.) Here are a few take­aways from our discussion:

NIST is foun­da­tion­al. NIST 800 is com­posed of Uncle Sam’s own com­put­er secu­ri­ty poli­cies, pro­ce­dures and guide­lines, which have been wide­ly imple­ment­ed in the Depart­ment of Home­land Secu­ri­ty, the Depart­ment of Defense and most big fed­er­al agen­cies. New York state’s new rules for finan­cial firms incor­po­rate the NIST frame­work, and the U.S. Food and Drug Admin­is­tra­tion, like­wise, refers to the NIST frame­work in guid­ance for med­ical device manufactures.

NIST is proac­tive. Derived from exten­sive pub­lic and pri­vate research, NIST 800 exists as a pub­lic ser­vice. It lays out cost-effec­tive, proac­tive steps to improve any organization’s dig­i­tal secu­ri­ty pos­ture. Imple­men­ta­tion mate­ri­als are avail­able at no cost to orga­ni­za­tions of all types and sizes, small- and medi­um-size com­pa­nies, edu­ca­tion­al insti­tu­tions and state and local gov­ern­ment agencies.

NIST is flex­i­ble. At the end of the day, the NIST series guides orga­ni­za­tions to shap­ing secu­ri­ty poli­cies and secu­ri­ty con­trols that are flex­i­ble, adaptable—and effec­tive. One vital com­po­nent is senior man­age­ment buy-in. New poli­cies can and should be imple­ment­ed and tweaked in a method­i­cal, mea­sur­able man­ner, and cham­pi­oned by senior lead­ers. The goal should not be just tight­en­ing secu­ri­ty, Wyatt says, but also mak­ing one’s orga­ni­za­tion more reli­ably pro­duc­tive. A con­tin­u­al feed­back loop can help keep con­trols alive and vital, he says.

For a deep­er drill down on our con­ver­sa­tion, please view the accom­pa­ny­ing video.

More sto­ries relat­ed to the NIST guidelines:
Gov­ern­ment con­tin­ues to refine guide­lines for cre­at­ing more secure networks
Steps for using Uncle Sam’s frame­work for cybersecurity
Few adopt NIST cyber­se­cu­ri­ty guide­lines, but that could change