In a recent webinar on the upcoming final release of NIST SP 800-53 Rev. 5, NIST Fellow Dr. Ron Ross mentioned an interesting fact: private sector and international adoption of the NIST standards is on the rise.
Why might that be?
Personally, I think it has to do with an evolution of the mindset of the CIOs and CISOs at international and private sector organizations. Traditionally, cybersecurity was reactionary and focused on threats targeting the holy grail of an organization’s business model. For financial services, this was transaction or payment card data. For healthcare organizations, this was predominantly related to data privacy. Each sector has its “castle key” data and was usually pretty good at protecting it from an outside attack.
We’ve learned the hard way that cybersecurity is like a chain, only as strong as its weakest link. The stronger the firewalls and security policies became, the more the enemy learned about spear-phishing (thanks, social media) and lateral movement. In my mind’s eye, I’m conjuring the cartoon of a sailor plugging holes in the boat with all their fingers until they run out of fingers and the holes continue to spew out water…
We have also learned that educating our user base is critical to successfully defending the castle… but there is more (so much more). In come the requirements and regulations that are meant to help keep your organization and data secure, but can be difficult to understand and interpret. To make matters worse, private sector organizations, especially in heavily regulated sectors, are beholden to multiple standards that must be adhered to.
Simplifying risk and compliance for the commercial and international enterprise.
I’ve advocated numerous times in the past that the new NIST SP 800-53 is a Rosetta Stone for managing risk and compliance across all business types. This latest revision, Rev. 5, simplifies adoption for the international and private sectors thanks to more easily interpretable IA controls and fewer references to U.S. government-focused processes and terms.
What’s also important for commercial organizations to recognize is the value of leveraging the NIST SP 800-37, or the Risk Management Framework (RMF), as a methodology to manage risk and compliance activities within an organization. What commercial organizations can glean from the RMF and its updated controls catalog is an unmatched, comprehensive playbook in managing risk and compliance activities that span all levels within an organization.
“Why?” you may ask. “I’m happy checking boxes.”
NIST’s methodology moves organizations away from the checkbox mentality by forcing interpretation and applicability within the context of the organization adopting it. It also allows for “test once, comply with many” – meaning that control validations from the NIST catalog can be mapped to other compliance regimes and thus provide ample evidence of due diligence against multiple standards at once.
The fact is, security compliance doesn’t work out of the box that way. However, when due diligence is applied to building a strong foundation for an organization-wide risk management program, the opacity of risk is greatly diminished. Likewise, when an organizational risk management program is created and adhered to, the costs of compliance decreases, especially those costs typically unforeseen at the bottom line, like audit fatigue and attrition within the security operations staff. While cybersecurity risk and compliance programs are not easy, spending the time and energy up front pays significant dividends. It simplifies audits and audit response, reduces costs, lowers probability of compromise, accelerates response reaction times, and, in commercial organizations, establishes a plan for crisis management and communications activities.
Some commercial organizations will continue to push their heads deep in the sand, or wish for a magic button to make it all go away (or maybe some slick new product that uses artificial intelligence and machine learning to do all the work for them). They’ll spend plenty of money and spin their tires, while others in the private sector utilize the high bar of risk management and security compliance, seriously adopt it, and reach the finish line.