The ‘must haves’ to make the Framework for Cybersecurity useful

The ‘must haves’ to make the Framework for Cybersecurity useful: This month, the National Institute of Standards and Technology (NIST) is scheduled to release the first official draft of the Cybersecurity Framework. NIST produced the guidelines in response to President Obama’s executive order issued February. The Framework consists of standards, methodologies, procedures, processes and guidelines designed to help businesses address risks and develop a plan to improve their security posture.

The goal of the Framework is laudable. The many news stories revealing company data breaches indicates businesses need a different approach when it comes to protecting valuable information. However, since NIST has no regulatory or statutory authority to enforce its use, the Framework must include specific information and guidance that business leaders will want to follow – information that is easy to put to use and indicates an immediate need for a thorough cyber security plan.

Making cyber security a top priority starts at the top.  Until board members and executives view security as a real business issue, a voluntary framework will get little traction. How can the Framework encourage business leaders to make security a top priority? By including information that is relevant to their specific business. In the current outline, the guidelines appear to have an overarching view that any business should be able to use it. It does include a section that addresses the ability of organizations to pick which standards are the most relevant to them, however, NIST should go one step further and develop frameworks for specific industries. For example, draft guidelines that speak to business leaders in the financial, electricity and oil and gas industries. Compartmentalizing the industries will be more effective in getting the right people to pay attention since the information caters to their specific business.