Another week, another Snowmageddon, happy Friday everybody…
As we dig out up here in the Northeast and the folks further south begin to thaw, I want to say thank you to all those that came out to our Security at the Crossroads seminar this week in DC. We had a great turnout and greatly appreciate all of the participation and feedback from many of you in attendance. Even though none of the feedback was specifically geared towards the blog, I know you all were secretly telling me you like it.
In a nice coincidence with the theme of our seminar, NIST released the Framework for Improving Critical Infrastructure Cybersecurity version 1.0 earlier this week. This has been a work in progress, since it was given priority following the EO from early '13, and it's in the spirit of an open source document. Being that it's a voluntary set of guidelines, NIST highlights that this is in fact a living, breathing document that will evolve over time through the cooperation of industry.
While the Framework is aimed at strengthening the security of the nation's infrastructure it does call for global collaboration. The only way this can be assured going forward is greater communication as threats, vulnerabilities and weaknesses are discovered and evolve over time. While that might sound like they're putting the cart before the horse they do start off with 5 basic steps. As we are talking about something as complicated as cybersecurity there is no better place to start than y creating a foundation.
Keep in mind that this is a voluntary document, not a mandate, but it's core principals should be strongly considered. This document is focused not only on federal departments and their agencies but also any organization, of any size, as the need to focus on cybersecurity no longer resides with the larger, more visible logos.
The threat of attack is as real for the Beltway as it is for Wall St. and Main St. These fundamentals are basic enough that any organization looking to implement a program can use this as a guide to begin the journey of establishing one, but it's not a pure roadmap and it is (as it should be) vendor agnostic. However the real value is that is also can be adapted by those organizations, both large and small, with programs in place as a running check-list, and as a way to validate that the tools and benchmarks they have in place are working effectively.
The idea is to create commonality within the cybersecurity community. The potential information gained from these baselines can be used to create a defined set of best-practices aimed to better protect the nation's cyber-defenses, as well as help secure industry globally.
As described in the document, the five points the document can enable organizations to do are:
- Describe their current cybersecurity posture
- Describe their target state for cyber security
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
- Assess progress toward the target state
- Communicate among internal and external stakeholders about cybersecurity risk
Now I'm off to do the only thing one can do when it snows a foot in the White Mountains on Valentine's Day – grab my wife and hit the slopes. Have a great weekend everyone, spring training is around the corner.