Friday, July 12, 2013

NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs


I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.

So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.


In San Diego, we spent a lot of time in groups fleshing out the categories and subcategories in various cyber security-related functional areas ... not sure how productive that activity will prove to have been. However, towards the end of the day on Thursday everyone had a chance to participate in one of several break out sessions.  I won't list them all here, but some were Privacy, Small Business, DHS, and  the one I worked in was the Senior Executive Cyber Security Support session facilitated by Kiersten Todt and attended by what looked like 40 or 50 folks.

So, our challenge was to generate strategies for engaging CEOs, Boards of Directors and other senior leaders to, once it's built, buy into the CSF triggered by Presidential Executive Order 13636: "Improving Critical Infrastructure Cybersecurity" earlier this year. Going in I was skeptical that a bunch of security folks would have any idea how to communicate effectively with, let alone persuade, senior business or Federal executives about anything.

Fortunately, there were at least a handful in the room who in their careers had regular and frequent exchanges with large company CEOs, other C-Suiters, and sometimes Board members. And their Federal and DoD counterparts as well.

Hundreds of ideas were articulated rapid fire (I pitied the scribe but it looked like she was keeping up) and I'll leave it to NIST to select out and leverage the ones they think can be helpful. But I'll use this space to call out two I think had significant merit:

  • One person said government should do test runs of CSF on a handful of companies to demonstrate effectiveness and costs and that the results could then be used as evidence. Assuming benefit can be demonstrated, it could be packaged as a cost/benefit analysis to support discussions with senior management
  • Even if NIST and the crew constructing the CSF does a fine job and creates something potentially useful for the different industries it's designed to help, unless it's introduced via an outstanding marketing campaign targeting the right outlets (e.g., WSJ, Barrons, HBR, etc.) the CSF will never get the attention it needs to succeed.  Take-away for NIST and partners: be ready to focus nearly as much (or maybe more) on marketing, messaging and communications strategies as we are on building a good product
So, whether the CSF is ultimately judged a success or not, I think getting security folks to begin thinking and talking in terms that senior business folks can understand is not just helpful, but absolutely necessary if we're ever going to bridge the divide between the C-Suite and the increasingly strategic Cybersecurity function.

Photo credit: UCSD Math Dept.

21 comments:

Unknown said...

Quickly this site will indisputably be famous among all blogging people, because of its fastidious articles or reviews. Big Data and Bigger Breaches With Alex Pentland of Monument Capital Group

Justin Bieber said...

Your blogs are easily accessible and quite enlightening so keep doing the amazing work guys.american cash loans

Unknown said...

I have got the good information through your blog; I will share this to my friends as well.
advanced loans

Chris Pratt said...

Thank you I am glad about the encouragement! I love your site, you post outstanding.cheap life insurance

Unknown said...

The problem is that you provide may be worth our time and also effort.orogold cosmetics

Anonymous said...

I am greatly thankful to you for this exciting blog; I am cheerful because of your smart working really. Sugar Land roofing

Unknown said...

Hmm!! This blog is really cool, I’m so lucky that I have reached here and got this awesome information.payday loan 100 online

Unknown said...

Nice working guys, I am cordially with you to appreciate your all posts. ipv d2 75w

Unknown said...

Whenever I have free time I read the blogs but today I got the unique blog page where I learnt many new things thanks guys! Lakeville bathroom remodel

Chris Morris said...

Thank you I am glad about the encouragement! I love your site, you post outstanding.online payday loan

Unknown said...

With polite greetings I want to say that this post is amazing!! Thanks online payday loans

Unknown said...

Regarding all aspects the blog was perfectly nice. Adam Short

Unknown said...

Guys you did great work. I’m very pleased to say that these are wonderful articles and blogs. Thanks for this. term life insurance

Unknown said...

I have actually bookmarked your site because I truly love this knowledgeable source of information. Thanks personal cash advance

Unknown said...

You’ve put enormous insights about the topic here, continue the good work! water softener reviews

Unknown said...

I am so happy and proud of you to provide such amazing stuff, I’m truly thankful to you! NY Pharmacy Error Attorneys

donnajacob said...

Hi Dear, have you been certainly visiting this site daily, if that's the case you then will certainly get good knowledge. Vine Vine Skin Care

donnajacob said...

This is really an excellent blog as well as its content. Vine Vera Reviews

Unknown said...

I love the way you write your post. Each and everything is simply perfect. Thanks depression life insurance

donnajacob said...

The quality of your blogs and conjointly the articles and price appreciating. vehicle wraps

Cybersecurity Critical Infrastructure said...

This report on cybersecurity critical infrastructure in the USA is really very interesting. It is really essential to protect important information and national security from any cyber attack.