Yesterday’s release of the final NIST Cybersecurity Framework is an immediate call to action for companies managing critical infrastructure in the United States. With the core of the Framework having changed very little from preliminary versions, it calls for companies in a broad range of industries from finance and healthcare to energy and information technology, to be prepared to adopt it and prove that their cybersecurity practices are consistent with the outlined practices. The primary difference from the preliminary draft is a revision to the privacy section, because critics felt the preliminary draft of the privacy section would be so costly and prescriptive as to deter widespread adoption of the Framework, which is, at present, still voluntary.
The NIST Cybersecurity Framework: “Commercially Reasonable?”
Over time, as federal incentives are offered and these industries increasingly accept and comply with the Framework, it’s likely that the private sector will move toward the NIST Cybersecurity model through common law liability. Some data-privacy specialists are already speculating that the Framework is likely to become a standard for what’s considered “commercially reasonable” for corporations who come under regulatory scrutiny or are involved in litigation related to a data breach.
Is working to this standard good “corporate citizenship,” good security, good business sense? Most would agree that it is. However, our company’s position is that the framework falls short in one key area: it fails to call for active threat hunting based on ongoing, proactive risk and security intelligence. From the simple standpoint of organizational self-defense, it makes sense in this age of rapidly increasing legal, intellectual property, and information risk for organizations to comply with the highest possible standard of security.
“Next Practices”: Proactive Security Intelligence for Early Threat Hunting
With a recent SANS Endpoint Security Survey showing that over 47 percent of corporate security professionals believe that their organizations have already been compromised, it’s clear that intrusion prevention systems are an insufficient approach for effectively defending against external and internal threats to sensitive data. Executives who wish to ensure that our corporations are exceeding their duty of care with regard to cybersecurity would do well to adopt the NIST Cybersecurity Framework as a baseline, and then to go one step further by establishing proactive security intelligence.
Enabling information security teams to actively hunt threats based on the earliest possible intelligence from every corporate endpoint, in a way that is well-documented, can help corporate counsel, executives, and boards make a case at any point in time that they have met or exceeded what is likely to become the de facto standard for American business.
Mark Harrington is General Counsel and Corporate Secretary at Guidance Software and oversees worldwide legal responsibility for the company.