The Value of National Guidelines for Cyber Security

By Shawn Dougherty July 14, 2014

Shawn DoughertyIt’s not a secret that cyber security is a significant issue facing businesses of all shapes and sizes in the United States and across the globe. President Obama has said that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cyber security.” As a result, the current administration charged the National Institute of Standards and Technology (NIST) with developing a framework to assist companies in better addressing the cyber threats facing them.

Of course, the first argument against a published security framework document is that the bad guys are essentially given a road map on how to bypass security systems or procedures. I for one disagree with that argument and would like to provide a few thoughts on the value of the NIST Cybersecurity Framework and what it may achieve.

The Internet was never designed with security in mind. The Internet as a concept was an open forum to share knowledge, abilities, and resources for the greater good. Trust, not security, was the underlying principle in network design. As the web has evolved from a forum for sharing data and knowledge to a driving force in daily life, security has become much more critical. The NIST Cybersecurity Framework seeks to make security a priority, rather than an afterthought.

It’s important to note that the Framework is a set of voluntary guidelines that allow for flexibility in interpretation and execution. That’s particularly important because cyber security is not a one-size-fits-all concept. If all businesses were expected to use a specific network design or virus protection solution, the Framework would fail before it even gathered steam.

It’s also worth noting that the Framework is targeted to executives, board members, and high-level decision makers, not IT professionals or departments. The guidelines seek to change the way businesses think about cyber security, not impose specific actions or protocols to follow.

To learn about ISO’s various cyber offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.