By Kris Tanaka
SecureWorld Media
"Data is the new oil," said Larry Wilson, information security officer, University of Massachusetts President's Office. "We now live in the information economy, it's no longer the industrial economy. Everything centers around data."
Therefore the role of a cybersecurity professional, according to Wilson, is to make sure that the right data is available to the right people at the right time. "We need to mimimize or eliminate, as best we can, unauthorized access to that data," he said.
On the surface, that seems pretty simple. "As security people, the more we can control, the more we can secure," Wilson said. However, data is everywhere--and it is getting harder and harder to rein in thanks to the growing number of attack surfaces, the consumerization of IT, migration to the cloud, BYOD, the increase in privileged account access and the growing prominence of the Internet of Things.
As cybercriminals discover new entry points to exploit, organizations find themselves scrambling to stay ahead of the attackers or racing behind trying to mop up the damage. Quite frankly, it can be overwhleming.
Thankfully, there is a guideline that can help you be more stragetic in your planning--a structure that can bring organization to your current security program, enabling you to respond more quickly to the inevitable cyberattacks that will target your company.
On Feb. 12, 2013, President Barack Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," which established that "[i]t is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."
This led to the creation of the "Framework for Improving Critical Infrastructure Cybersecurity." Published by the National Institute of Standards and Technology (NIST) on Feb. 12, 2014, the framework is the result of the collaboration between the United States government and the private sector. It uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.
The framework enables organizations--regardless of size, degree of cybersecurity risk, or cybersecurity sophistication--to apply the principles and best practices of risk management in order to improve the security and resilience of critical infrastructure.
It's not meant to be a one-size-fits-all document. Organizations are encouraged to modify the framework to fit their specific needs. In addtion, the framework is intended to be a living document, which will be updated as users provide feedback regarding its implementation.
This is one of the reasons why UMass adopted the NIST framework, said Wilson. "We believe it will stand the test of time. It won't become 'old hat.' It is written in such a way that the framework itself will continue to be with us for quite a while," he said.
Would you like to learn how your organization can implement the NIST Cybersecurity Framework? Register today for Wilson's upcoming SecureWorld Plus Course, "Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework," at SecureWorld Boston on March 29-30. Click here for more information and to register for the event.
