What are the top priorities for cyber professionals as they implement the governing principles of NIST that help organize your security program? Mamadou Niang (Partner/Principal, Ernst & Young LLP) and John Bates (Senior Manager of Cybersecurity, Ernst & Young LLP) explore how organizations can get the most value from NIST, including best practices for reporting to the board and investors.
- Understand the fundamentals of NIST
- Discuss common pitfalls when implementing the NIST framework
- Implement best practices for utilizing the CSF
- Apply best practices for reporting to the board and investors
Watch the full conversation, and read the can’t-miss highlights below.
What are some of the common challenges associated with NIST?
Mamadou Niang, Ernst & Young LLP: Many organizations mistake NIST CSF as a maturity scale. NIST explicitly states that it’s not a security framework. Instead, it’s governing principles that help organize your security program. If you’re trying to decide between different frameworks and governing principles, the right answer depends on your organization. What are your objectives? Who is your audience? That determines what type of framework or principles you should be using.
NIST leaves room for interpretation, as opposed to more prescriptive options. There are good and bad things about that! With NIST, it may seem more difficult to explain costs and the need for implementation. This is especially true for security practitioners – since we’ve historically been seen as cost centers. That’s a misconception we’re trying to fight. In fact, our organizations stay online because of the tools, systems, and processes that security practitioners use day to day. But unless practitioners can speak in the language of business value, bottom line, and use cases, we’re going to have a hard time.
John Bates, Ernst & Young LLP: There are also a few common challenges that many people encounter when trying to implement. For starters, if you don’t have support from leadership at the top, you likely will not succeed. The second challenge is data. Analysis and implementation have a huge impact on data security. And it’s impossible to pull off a strong data security, protection, and privacy program without a strong data strategy. Resilience is the third challenge. It’s critical, but it’s also difficult – and many businesses have sincere concerns about it. The last challenge is consistent resource problems. Around 40% of positions in cybersecurity go unfilled. A potential solution to that issue is bringing automation into the picture. Automation helps us make [key] decisions from a security perspective. That’s a potential way to address that resource shortfall we see – and will continue to see for the foreseeable future.
Mamadou Niang, Ernst & Young LLP: Another challenge is that everyone needs to speak the same language. If some people are doing one standard versus the other, you’re going to start having disparity within the organization. This could lead to overprotecting a certain area, or a situation where systems trip over each other and open up a hole where one of them fails.
How should organizations approach NIST training?
John Bates, Ernst & Young LLP: Let’s give everyone an example of how we used to do it, and then what best practices look like in terms of documentation. Again, this isn’t just a NIST thing! It’s applicable to ISO or any other framework. Ultimately, think about training, awareness, and education. In the past, we’d hand out training materials. The only follow-up question would be: did it get done?
Now, it’s crucial to have a more iterative methodology. What’s the goal of your training? What’s the right training to provide? What testing elements will it include? How will I test that I’m achieving the level of education I want? How do I document gaps, and create corrective action plans? And then the cycle starts again – update training, document how it goes, and test again. When you get to that point, no matter what standard you’re at, you demonstrate high maturity and visibility.
Mamadou Niang, Ernst & Young LLP: As long as you take a solid risk-based approach, you really can’t go wrong. If you have an international base, though, I would still recommend ISO – it’s internationally recognized. Of course, NIST is as well. Most organizations do have some type of footprint in the US since it’s the world’s biggest economy. So most companies are familiar with NIST principles. Just remember that some may not follow NIST, since it’s a US standard as opposed to a globally accepted one.
What are best practices for reporting to executives and the board?
John Bates, Ernst & Young LLP: This has changed and I think it will continue to evolve. For simplicity’s sake, the CISO should report quarterly to the board. I know we used to do it once a year. Now, we do it quarterly. And in general, the CISO should be reporting to the CEO at least on a monthly schedule. This really shows, to regulators in particular, that cyber is a real concern. Security is being monitored and it’s not swept under the rug. I think that does save a lot of heartache later. Showing that it’s front of mind and you’re doing something about it is key.
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more Expert Insight videos featuring industry leaders and experts discussing timely issues, insights, and experiences.