The cyber threat continues to grow both in intensity and in scale, including breaches at government agencies, financial institutions, and core retailers. To combat this, the U.S. government recently released the nation’s first set of cyber security standards. These voluntary standards for private industry are an attempt to address known and suspected vulnerabilities around critical infrastructure. The target for these standards will be primarily focused on data and “identifying, protecting, detering, responding to, and recovering from” data breaches. But what do these new standards really mean for IT security?
The backbone of the new cyber security standards are essentially a set of standards, guidelines, and best practices designed to give companies a more comprehensive perspective on the cyber security risks they face and how to understand these risks, develop a plan for addressing them, track their progress, and improve their resiliency. It includes guidelines on information sharing between government and private industry to improve understanding and responses to cyber threats and attacks. It also establishes a new Critical Infrastructure Partnership Advisory Council with the Department of Homeland Security and participant companies to partner on updating and improving the infrastructure of cyber security.
The first key to what this means for CIOs is whether or not your company is a government contractor or works on government contracts. If you are a CIO of a company that does work with the federal government, pay attention, because the plan is to make awards of government contracts contingent upon adoption and meeting the cyber security standards laid out in the framework. For example, reporting of data breaches is a large issue—should companies be required to report data breaches to consumers and/or the government? Right now, most companies are under little to no obligation to report a data breach. Under the new standards, however, any breach and release of data by a government contractor—whether the data was classified or not—will require contractors to report the breach and an assessment of the damage to the government.
Even if you are not a government contractor, the cyber security standards are worth paying attention to. First, these standards are likely to make cyber security a much more important issue to management, driving it all the way to the boardroom. Let’s be direct—cyber security is not just a CIO issue. Instead, every C-level executive should have a role in reducing cyber risks.
Second, most companies will begin to review and adopt some of the standards. The way the standards are comprised allow organizations to tailor their implementation of the standards to the uniqueness and specifics of each industry and company based upon a cyber security risk assessment. For example, based on a cyber security risk assessment covering areas like identification of vulnerabilities, responding to different forms of attack, and recovering after an attack, each company can choose from a selection of possible options, or none at all.
The cyber threat is not going to be going away any time soon. Though a number of issues and problems have been raised about the new cyber security standards, it is a start at getting more focus, transparency, and understanding of the cyber risks orangizations face.