The Internet Security Alliance and the FAIR Institute called on the National Institute of Standards and Technology (NIST) to convene a process similar to that which resulted in the creation of the NIST Cyber Security Framework (CSF), but this time focusing on implementation of the CSF.
According to the joint April 10, 2017 filing, a useful outcome of the process would be integrating NIST CSF, launched in 2013, with subsequent work the private sector has developed since, including the Handbook for Cyber Risk Management created by the National Association of Corporate Directors (NACD), and the FAIR model, the standard quantitative model for information security and operational risk.
The joint filing suggests that, while the NIST CSF is a leading effort to advance enterprise cyber security, a new process is needed to fulfill the requirements of Executive Order 13636 which gave rise to the CSF. In particular, the filing suggests the cost effectiveness of the CSF needs to be demonstrated.
The ISA-FAIR Filing states: “No organization wants to be the victim of cyber attacks. Nonetheless, for the private sector—owning 80%-90% of cyber infrastructure and operating under a mandate to maximize shareholder value—the cybersecurity risk management calculus is inherently economic. If use of the CSF can be demonstrated as cost effective, regulations will not be required. Organizations naturally do what is cost effective. However, simply asserting that the CSF is cost effective is unlikely to persuade entities not using the CSF to adopt it.”
The filing cites research by the Conference Board, which describes how cyber security can be viewed as a pyramid, integrating board, senior management and operational activities. Additional research by PWC is cited, illustrating how the NACD Handbook for corporate boards has generated successful cyber security change and how the FAIR model can be used to integrate economics into a risk management effort which is complementary to the NIST CSF.
ISA and the FAIR Institute suggest a NIST process focused on CSF integration with these models could help build a sustainable cyber risk management program that is flexibly applied to individual entities with unique cyber risk profiles.
While the filing acknowledges the difficulty in developing metrics for cyber security, it rejects the notion that such metrics are impossible, and cites their necessity:
“We will concede that just as absolute security will not be achieved, perfect measurements also will be elusive. This lack of perfection, endemic to all social sciences, is no excuse for not trying to develop a useful mechanism to assist organizations in applying elements of the Framework most useful and cost effective for their purposes. Developing this mechanism is critical for the maintenance of the voluntary model defined in EO 13636.”
About The FAIR Institute
The FAIR Institute is an expert, non-profit organization led by information risk officers, CISOs and business executives, created to develop and share standard information risk management practices based on FAIR. Factor Analysis of Information Risk (FAIR) is the only standard quantitative model for information security and operational risk. FAIR helps organizations quantify and manage risk from the business perspective and enables cost-effective decision-making. Learn more and get involved by visiting www.fairinstitute.org.
About Internet Security Alliance
The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA's mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA's "Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit http://www.isalliance.org or call 703-907-7090.