This post was authored by Angela Mckay, Director of Cybersecurity Policy
It has been more two years since the National Institute of Standards & Technology (NIST) published its Cybersecurity Framework and there has been a lively debate ever since on how the Framework should evolve and be adapted by different organizations. Indeed, since then the Framework has been used by a diverse range of companies, including many critical infrastructures, by large multi-national organizations and by small and mid-sized business, both in the US and globally.
In talking with people about their experiences, I’ve consistently heard that the Framework has proven useful. It is enabling business leaders, cybersecurity practitioners, and governments to discuss cybersecurity, and is being used by them to drive actual improvements. With the Framework now under review, it is an opportune moment for all of us in industry and government to take stock and assess the progress made so far and where we have more to do.
I’ve observed, and it seems that many agree, that the multi-stakeholder process NIST managed to build the Framework, and the resulting approach represents many of the key principles for efforts to enhance cybersecurity. Proactive, structured engagements, using public consultations, open workshops with diverse stakeholders, including industry experts, and iterative drafts, really do yield products that are more relevant to the challenges at hand and are useful to stakeholders. While the Framework is not the ultimate answer to the challenges facing us, it is a very good example from which we can all learn.
First, governments and the industry have to build ongoing and effective public-private partnerships (PPP) in order to manage cybersecurity. Private sector technology underpins public sector infrastructure, so cybersecurity initiatives driven by governments will prosper best if they partner with the private sector to understand the latest developments. That being said, the partnership onus does not only rest with the “public” part of PPP. Progress in cybersecurity also requires “private” companies to proactively engage with governments and cybersecurity authorities.
Second, widely-recognized international standards or practices can and should be used in creating national cybersecurity frameworks. Such common standards represent the combined expertise and experience of specialists from industries and governments around the world. They also create a consistent baseline for international cooperation and a clear point of reference for improvement and innovation over time.
Third, harmonization in approaches to cybersecurity, partly based on those international standards, is good for states and companies, and is good for security and the economy. It will enable public and private sector organizations to access products and services from around the world, whilst allowing national suppliers to exploit global market opportunities. Non-ICT businesses gain from the continuity and predictability of harmonized approaches, being able to operate cross-border without undue costs burdens and to make investments in new markets more confidently. Common baselines will also improve cross-border cooperation in what is a constantly changing and globalizing threat landscape. Finally, for technology providers like Microsoft, harmonized approaches to cybersecurity also make it easier to develop inherently more secure products that can comply with the requirements of many, if not all, states.
Fourth, the approaches that are being developed focus on outcomes rather than controls, and on active risk management rather than rigid compliance processes. This will have a significant positive impact on security and will give organizations the flexibility they will need in the face of both rapid technological advances and ever evolving cyber-threats. The Framework’s outcomes enable conversations between security professionals and company leaders, indeed conversations with companies as a whole, both of which are essential to securing the necessary investments and to fostering ongoing risk management and continuous learning and improvement. This kind of emphasis on communication and awareness, applied globally, helps those delivering cybersecurity to constrain and confound malicious actors in cyberspace.
Since the Framework’s launch, governments around the world have continued to pursue initiatives to protect their cyberspace. They have developed national cybersecurity strategies, established threat indicator information sharing systems, and prepared baseline security protections. In particular, the European Union has moved forward with the Network & Information Security (NIS) Directive, which is being implemented by states now. As the number of these state cybersecurity approaches increases, however, the need for some level of harmonization between all of them also grows; and the NIST’s Framework can help guide some of that thinking.
Given the ongoing review of the Cybersecurity Framework, I believe now it is an opportune moment to call on governments, agencies, businesses and technology providers everywhere to take stock of their progress in cybersecurity. At Microsoft, we remain committed to enhancing cybersecurity for all consumers, enterprises, and governments globally. Collectively, however, we all have to challenge ourselves and others to constantly think about at what we can do to foster effective risk management, to build public-private partnerships and to deliver harmonized international approaches to cybersecurity.