MY TAKE: NIST Cybersecurity Framework has become a cornerstone for securing networks

By Byron V. Acohido

If your company is participating in the global supply chain, either as a first-party purchaser of goods and services from other organizations, or as a third-party supplier, sooner or later you’ll encounter the NIST Cybersecurity Framework.

Related: How NIST protocols fit SMBs

The essence of the NIST CSF is showing up in the privacy regulations now being enforced in Europe, as well as in a number of U.S. states. And the protocols it lays out inform a wide range of best-practices guides put out by trade groups and proprietary parties, as well.

I had the chance at RSA 2019 to visit with George Wrenn, founder and CEO of CyberSaint Security, a cybersecurity software firm  that plays directly in this space.

Prior to launching CyberSaint, Wrenn was CSO of Schneider Electric, a supplier of technologies used in industrial control systems. While at Schneider, Wrenn participated with other volunteer professionals in helping formulate the NIST CSF.

The participation led to the idea behind CyberSaint. The company supplies a platform, called CyberStrong, that automatically manages risk and compliance assessments across many types of frameworks. This includes not just the NIST CSF, but also the newly minted NIST Risk Management Framework 2.0, and the upcoming NIST Privacy Framework. For a full drill down on the wider context, give a listen to the accompanying podcast. Here are key takeaways:

Collective wisdom

Think of NIST as Uncle Sam’s long-established standards-setting body. “They are the people who brought you 36 inches in a yard,” Wrenn observed. To come up with its cybersecurity framework, NIST assembled top experts and orchestrated a global consensus- building process that resulted in a robust set of protocols. The CSF is comprehensive and flexible; it can be tailored to fit a specific organization’s needs. And the best part is it’s available for free.


Validation has come from its wide adoption. The CSF’s core principles have been incorporated into Europe’s GDPR, NYDFS’s cybersecurity requirements, California’s Consumer Privacy Act and Ohio’s Data Protection Act. And they echo through a wide variety of other risk assessment tools and initiatives that touch on third-party risks and data privacy.

“Some 3,000-plus cybersecurity folks, as well as lawyers and people from outside of industry, all contributed to this framework through NIST’s public review process,” Wrenn told me. “An entire community of expertise surrounds this, so that it actually yields a much better framework than some of the proprietary frameworks in the market, where you have to buy them and license them every year.”

Diverse drivers

So what’s driving companies to embrace these standards?

In the U.S., so-called “essential services” organizations, including hospitals, banks, telephony, and cellular companies, are mandated to adopt certain NIST standards, Wrenn said.

The CSF adds a layer of protection. While a first-party contractor can’t directly control the data-handling practices of a third-party supplier, it can insist that  all of its suppliers adopt the NIST protocols, putting everyone on the same page.

“Then you have the folks whose security programs have run out of steam and they’re looking for a way to prove that they’re doing due care,” Wrenn said.

That could be for insurance purposes. “As with any insurance, cyber insurance really requires due care.” Wrenn said. “So if one were to have an incident and file a claim, the first thing that’s going to happen is the insurance company is going to bring in some consultants to look at your cyber posture.”

Companies now realize that if they can’t demonstrate due care, there’s a good chance their cyber insurance claim could be denied, as happened to food distributor Mondelez International, in wake of the 2017 NotPetya ransomware wave.

Privacy in focus

The flip side of data security is privacy. That said, there is a new NIST framework in the works, this one focusing specifically on privacy.

The NIST Privacy Framework – now in a drafting phase — will address many of the same concerns as Europe’s GDPR and other privacy regulations have, with respect to giving individuals more control over the privacy of their digital footprints.

The stakes are high. Controversies like the Facebook-Cambridge Analytica scandal, and Europe recently fining Google $55 million for violating GDPR, have made organizations more aware of the risks involved in leveraging personal data without express permission.

The NIST Privacy Framework will provide organizations with the guidelines they want and need to protect the privacy of their users’ personal information. The ultimate goal: help organizations identify where their privacy risks are and better manage them, Wrenn said.

“You’re going to see more folks open their eyes to risk management, and you’re going to see more folks gravitating towards NIST guidance on protecting the privacy of their users and customers, that’s really going to be the trend,” Wrenn told me.

It’s good to know a time-honored body, like NIST, is in the thick of setting standards that will come to define privacy and security as we move ahead. It’s worth paying close attention to.  Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone