I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.
So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.
In San Diego, we spent a lot of time in groups fleshing out the categories and subcategories in various cyber security-related functional areas ... not sure how productive that activity will prove to have been. However, towards the end of the day on Thursday everyone had a chance to participate in one of several break out sessions. I won't list them all here, but some were Privacy, Small Business, DHS, and the one I worked in was the Senior Executive Cyber Security Support session facilitated by Kiersten Todt and attended by what looked like 40 or 50 folks.
So, our challenge was to generate strategies for engaging CEOs, Boards of Directors and other senior leaders to, once it's built, buy into the CSF triggered by Presidential Executive Order 13636: "Improving Critical Infrastructure Cybersecurity" earlier this year. Going in I was skeptical that a bunch of security folks would have any idea how to communicate effectively with, let alone persuade, senior business or Federal executives about anything.
Fortunately, there were at least a handful in the room who in their careers had regular and frequent exchanges with large company CEOs, other C-Suiters, and sometimes Board members. And their Federal and DoD counterparts as well.
Hundreds of ideas were articulated rapid fire (I pitied the scribe but it looked like she was keeping up) and I'll leave it to NIST to select out and leverage the ones they think can be helpful. But I'll use this space to call out two I think had significant merit:
- One person said government should do test runs of CSF on a handful of companies to demonstrate effectiveness and costs and that the results could then be used as evidence. Assuming benefit can be demonstrated, it could be packaged as a cost/benefit analysis to support discussions with senior management
- Even if NIST and the crew constructing the CSF does a fine job and creates something potentially useful for the different industries it's designed to help, unless it's introduced via an outstanding marketing campaign targeting the right outlets (e.g., WSJ, Barrons, HBR, etc.) the CSF will never get the attention it needs to succeed. Take-away for NIST and partners: be ready to focus nearly as much (or maybe more) on marketing, messaging and communications strategies as we are on building a good product
Photo credit: UCSD Math Dept.