It’s not a secret that cyber security is a significant issue facing businesses of all shapes and sizes in the United States and across the globe. President Obama has said that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cyber security.” As a result, the current administration charged the National Institute of Standards and Technology (NIST) with developing a framework to assist companies in better addressing the cyber threats facing them.
Of course, the first argument against a published security framework document is that the bad guys are essentially given a road map on how to bypass security systems or procedures. I for one disagree with that argument and would like to provide a few thoughts on the value of the NIST Cybersecurity Framework and what it may achieve.
The Internet was never designed with security in mind. The Internet as a concept was an open forum to share knowledge, abilities, and resources for the greater good. Trust, not security, was the underlying principle in network design. As the web has evolved from a forum for sharing data and knowledge to a driving force in daily life, security has become much more critical. The NIST Cybersecurity Framework seeks to make security a priority, rather than an afterthought.
It’s important to note that the Framework is a set of voluntary guidelines that allow for flexibility in interpretation and execution. That’s particularly important because cyber security is not a one-size-fits-all concept. If all businesses were expected to use a specific network design or virus protection solution, the Framework would fail before it even gathered steam.
It’s also worth noting that the Framework is targeted to executives, board members, and high-level decision makers, not IT professionals or departments. The guidelines seek to change the way businesses think about cyber security, not impose specific actions or protocols to follow.