VIDEO: Why the NIST framework is so fundamental to network security

June 14th, 2017

170614_NIST SLIDE 550 pxBy Byron Acohido

Put aside the cyber threats, which continue to worsen. All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do in order to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) .

I recently sat down with Edric Wyatt, security analyst at CyberScout to discuss the first step any organization—of any size and in any sector—can take to become more security mature: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is proactive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective, proactive steps to improve any organization’s digital security posture. Implementation materials are available at no cost to organizations of all types and sizes, small- and medium-size companies, educational institutions and state and local government agencies.

NIST is flexible. At the end of the day, the NIST series guides organizations to shaping security policies and security controls that are flexible, adaptable—and effective. One vital component is senior management buy-in. New policies can and should be implemented and tweaked in a methodical, measurable manner, and championed by senior leaders. The goal should not be just tightening security, Wyatt says, but also making one’s organization more reliably productive. A continual feedback loop can help keep controls alive and vital, he says.

For a deeper drill down on our conversation, please view the accompanying video.

(Editor’s note: This article originally appeared on ThirdCertainty.com.)