You are currently browsing the monthly archive for February 2014.
This is OVER but you can see the recording HERE: http://www.energysec.org/events/webinars/webinar-interpretations-and-forecasts-looking-beyond-rumors-myths-and-misunderstandings-about-the-new-nist-cybersecurity-framework/
Interested in hearing a more lengthy – and more frank – NIST Framework discussion that also includes both historical context and REAL security discussion? Join me as my employer and I host a webinar March 5, 2014 at 1pm ET.
Registration is HERE.
The official description follows this blurb, but you should also know that in addition to the usual Energysec community, I’m also going to try and aim this webinar at groups like IATC (I Am The Cavalry) and NovaHackers. As such, not only will I run down my written framework assessments in more detail, but I’m also going to try and help these other communities understand the levers the framework uses, the state of dialogue that led to it, and how to get engaged in the ongoing process. Please come prepared to hear more than you will elsewhere. Some pre-reading, if you are so inclined, can be found in my comments on the preliminary draft HERE.
Interpretations and Forecasts: Looking Beyond Rumors, Myths and Misunderstandings About the New NIST Cybersecurity FrameworkOn February 12, 2014 the White House released the first version of the NIST Cybersecurity Framework. NIST was directed to create this framework in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Since the preliminary framework was released last October, many rumors have been going around about what the framework is or is not. Additionally, a number of organizations have been making what we believe will likely turn out to be inaccurate representations about how the framework should be used and what expectations will be surrounding it.
In this webinar, we will explore a number of the more common scenarios we’ve heard recently and attempt to provide educated but unaffiliated realism around the document, its uses, its gaps, and what’s going to happen moving forward.While this will be an editorial webinar, and we cannot claim to represent an official stance on anyone’s behalf, we believe our experience in this area and lack of vested interest will provide attendees with the tools – lenses, if you will – with which to better interpret what you hear from other third parties.
I just wrote-up the following for someone in the Communications Sector. It’s entirely stream-of-consciousness and un-edited, so forgive the language and grammar shoddiness, but as far as content goes, I think it sums up very well how I think of cybersecurity at an organizational (as opposed to industry/sector/national) level right now:
The vulnerabilities hackers exploit are created in the design, implementation, operation, or control of your business’s strategy, resource allocation, capability maturity, and value chain. These vulnerabilities, created by your business decisions, allow hackers to repurpose your business and infrastructure – in part or entirely – to their own ends.
Therefore, cybersecurity can be said to be “The management of all business decisions made by your organization in a way which will inhibit malicious actors from using technology to repurpose your infrastructure or value chain for their own ends.”
While much of the focus on security has been on security specific controls and roles, those controls and roles only help to temporarily mitigate security problems. True improvement in effectiveness and lowered costs will only come if the rest of the business manages decisions in a way that reduces the number of business and technological vulnerabilities that your security programs must account for. These vulnerabilities can be introduced in typically “non-security” areas of your business such as product release timing, IT product selection, change management discipline, cross-team communication, business process design, policy compliance culture, service and product feature selection.
And, so, use of security Frameworks such as the new NIST Voluntary framework, while important, only accounts for security control at one layer of several interdependent layers of control and will not, by itself, successfully protect your organization. Business leadership priorities, business capability management, business process and IT architecture, operations, education and culture management, and classic “cybersecurity” must be paid equal attention and be tightly integrated.
A tight integration of these areas will not only reduce the overall number of vulnerabilities being introduced that are exploitable by hackers, but will also allow the organization to more effectively identify and pivot toward defending against new threats and attack vectors. Without this overall business maturity, no threat data will ever be actionable because there is simply too much area for your security teams and programs to cover. However, with the entire business working together to minimize exposure, your security team will be able to use threat based intelligence from external organizations to help them understand what gaps remain, mitigate those threats in the short term, and then inform business leadership of areas of vulnerability which might require longer term strategic organizational change to mitigate.
Ultimately, this should be seen as the development of two risk management life-cycles: One which looks at long term threats to your organization resulting from vulnerabilities created by organizational decision making, and another which focuses on short term tactical threats to your infrastructure. These two risk management life cycles can then inform each other without replacing each other.
In the longer term, business management lifecycle, typical “barriers” such as operational, market, consumer, technology and policy considerations should be considered “cybersecurity vulnerabilities” to be managed. Metrics could include such measurements as “number of times a security control was pushed to a later release in order to accommodate product release commitments made by marketing.” Security improvement initiatives could focus on changing organizational processes and decision making to the point where product release commitments and security control introduction were in conflict less often.
Per last post, I’ll be at the White House today for the rollout of the NIST Voluntary Cybersecurity Framework that many of us worked on last year. You can see it live today at 1pm here:
Also, I’ve been working on my alternate version which will cover the 80% space that the NIST facilitated framework doesn’t. Particularly, I’m focusing on the environment that leads to security. My framework will help minimize the space your security teams have to cover by addressing how and where the business vulnerabilities that lead to technical vulnerabilities are introduced. This approach should both reduce security program costs while at the same time making them more effective. Expect a draft this week.
I got this yesterday!
You are invited to an event at the White House on Wednesday, February 12, at 1:00 p.m. for the release of the National Institute of Standards and Technology (NIST) voluntary Cybersecurity Framework. This date marks the one year anniversary of Executive Order 13636, which tasked NIST to convene the private sector to develop this Framework.
We deeply appreciate your leadership in our shared efforts to improve critical infrastructure cybersecurity and would like to offer you the opportunity to attend this event.
Upon receipt of your RSVP, we will follow up with additional logistical information and specific arrival details. This invitation is non-transferable.
We hope that you will join us for this important event.
J. Michael Daniel
Special Assistant to the President & Cybersecurity Coordinator
National Security Council
The White House