Paul Christman, who is VP of public sector at Dell Software, recently wrote an op-ed in USA Today about draft guidelines issued by the National Institute of Standards and Technology (NIST). In his op-ed, Christman praised the NIST guidelines as widely applicable to both public and private sector organizations. Many of these organizations have already experienced major data breaches within the past two years, including:
- LivingSocial. An attack on this daily deals provider revealed the names, passwords, birthdates and e-mail addresses of over 50 million customers.
- Oregon Health and Science University. An unencrypted laptop and USB drive was stolen from an employee’s home. The laptop contained detailed information about over 4,000 OHSU patients.
- Wyndham Hotels. Two major data breaches resulted in the compromising of hundreds of thousands of credit and debit cards. Customers reported losses of over $10.6 million because of fraud.
- U.S. Navy and Department of Homeland Security. Attackers using an SQL injection stole e-mail IDs, usernames, passwords, security questions and security answers for employees from two large websites: the Smart Web Move website and the DHS Transportation Worker Identification Credential website.
If you want to learn more about the nuts and bolts of stopping these attacks, then check out a cybersecurity master’s degree program. Christman is right to suggest that both public and private sector groups take a look at NIST guidelines and consider becoming voluntarily compliant.
An Overview of the Guidelines
NIST guidelines are built around five basic functions that are flexible enough to apply to any organization:
- Know. Government agencies, non-profits and private businesses should start by gaining some institutional knowledge of their vulnerabilities. This knowledge includes understanding which systems are most critical and how workflow can be managed in a way that makes risk management cost-effective.
- Prevent. Preventing data breaches is inevitably cheaper than mopping up afterward. NIST divides prevention into activities that can enable an organization to determine the right threat prevention actions.
- Detect. Detection includes using ongoing monitoring to assess both new and persistent threats. Monitoring should provide a real-time assessment of how those threats would impact the organization both financially and operationally as well as how the organization’s brand could come under fire.
- Respond. Respond means deploying outcome-based activities developed during the prevention and detection processes.
- Recover. Recovery means restoring services in an efficient and cost-effective way after an unforeseen cyberattack.
For each of the five steps, NIST recommends developing action steps for three levels of management including senior executives, business process managers and operational managers. In particular, the lack of personal executive attention to cybersecurity matters is a serious pain point for many companies and agencies. Implementing NIST could be a great way to get the C-suite onboard with your cybersecurity program.
Beauty in Adaptability
When you take a look at NIST, don’t expect to see a checklist or a rubric of 10 things to do to protect your organization from hackers. This compendium isn’t something that can enable you to respond to a data breach lawsuit by saying, “But we’re NIST certified.” It’s based on ongoing risk assessment from the inside out. Even though going through NIST means doing a lot of work in the initial risk assessment, you should already be doing this kind of comprehensive evaluation anyway. You can approach it in three ways:
- Adapt it to your existing risk assessment framework.
- Reframe all of your risk assessment using the NIST guidelines (for consistency).
- Kickstart the risk assessment you’ve been putting off by using NIST’s “build it right” approach for IT and beyond.
By focusing on general functions, NIST has done a good job of creating a framework that any organization can use. The key is to adapt NIST guidelines to the budget, security needs and risk tolerance levels of your organization. The NIST guidelines are not a one-size-fits-all approach. Instead, they give you flexibility to design a cybersecurity risk-management program specifically for your organization. If you truly take the time to study your workflows in-depth, particularly during the “Know” stage, then you may realize benefits that go way beyond cybersecurity.
About the Author: Corey Hellmann is a risk management consultant serving multiple private businesses as well as public sector organizations at the municipal, state and federal levels.