Yesterday’s release of the final NIST Cybersecurity
Framework is an immediate call to action for companies managing critical
infrastructure in the United States. With the core of the Framework having
changed very little from preliminary versions, it calls for companies in a
broad range of industries from finance and healthcare to energy and information
technology, to be prepared to adopt it and prove that their cybersecurity
practices are consistent with the outlined practices. The primary difference
from the preliminary draft is a revision to the privacy section, because critics
felt the preliminary draft of the privacy section would be so costly and
prescriptive as to deter widespread adoption of the Framework, which is, at
present, still voluntary.
The NIST
Cybersecurity Framework: “Commercially Reasonable?”
Over time, as federal incentives are offered and these
industries increasingly accept and comply with the Framework, it’s likely that
the private sector will move toward the NIST Cybersecurity model through common
law liability. Some data-privacy specialists are already speculating that the Framework
is likely to become a standard for what’s considered “commercially reasonable”
for corporations who come under regulatory scrutiny or are involved in
litigation related to a data breach.
Is working to this standard good “corporate citizenship,”
good security, good business sense? Most would agree that it is. However, our
company’s position is that the framework falls short in one key area: it
fails to call for active threat hunting based on ongoing, proactive risk and
security intelligence. From the simple standpoint of organizational
self-defense, it makes sense in this age of rapidly increasing legal,
intellectual property, and information risk for organizations to comply with
the highest possible standard of security.
“Next Practices”:
Proactive Security Intelligence for Early Threat Hunting
With a recent SANS Endpoint Security Survey showing that
over 47 percent of corporate security professionals believe that their
organizations have already been compromised, it’s clear that intrusion prevention
systems are an insufficient approach for effectively defending against external
and internal threats to sensitive data. Executives who wish to ensure that our
corporations are exceeding their duty of care with regard to cybersecurity
would do well to adopt the NIST Cybersecurity Framework as a baseline, and then
to go one step further by establishing proactive
security intelligence.
Enabling information security teams to actively hunt threats
based on the earliest possible intelligence from every corporate endpoint, in a
way that is well-documented, can help corporate counsel, executives, and boards
make a case at any point in time that they have met or exceeded what is likely
to become the de facto standard for American business.
Mark Harrington is General Counsel and Corporate Secretary at Guidance Software and oversees worldwide legal responsibility for the company.
No comments :
Post a Comment