The recently released Risk Management Framework from the National Institute for Standards and Technology outlines what organizations need to do to improve their information security posture against serious attacks. The roundtable discussion at Black Hat last week focused on the Framework's elements, what some of the issues are, and how organizations can apply these guidelines to protect their networks and data.
Adoption of the Framework at the moment is completely voluntary, but if the number of Black Hat attendees at the roundtable discussion was any indication, there is a lot of interest in learning how to use the Framework.
“How many of you have trouble translating geekspeak to the board?” Tiffany Jones, the discussion moderators and the chief revenue officer of iSight Partners, a threat intelligence consultancy, asked the audience. A majority of the hands went up. “This is what [the NIST framework] does,” Jones added.
“How many of you have trouble translating geekspeak to the board?”Tiffany Jones, Chief Revenue Officer- iSight Partners
The Framework provides information security professionals with the language necessary to explain what they are doing to business stakeholders and senior management. Implementing the Framework could create a culture of security within the organization, and help it move up the security maturity ladder, Jones noted.
The NIST Risk Management Framework represents more than a year of intense collaboration between various public and private sector organizations in determining security best practices. There are no incentives or penalties associated with the framework at the moment, althought that can change at a later date if Congress passes the appropriate legislation.
A common complaint about the Framework was that it is intimidating and not easy to utilize, especially by less mature organizations. The roundtable was full of participants asking for information on how others have implemented the framework and what some of the practical pitfalls were. A big concern was on how the framework could be implemented while still minimizing disruptions to the environment. One person wondered whether open source software could be used to impelement elements of the framework.
The Framework isn't perfect, as critics have pointed out there are gaps in coverage area, such as authentication, data anyltics, automated indicator sharing, supply chain, and privacy, to name a few. The Framework is also very U.S.-centric and leaves out international aspects, roundtable participants said.
Participants were also concerned about the false sense of security the Framework could provide. “There's nothing to say 'stop here,'” one participant reminded the room. The framework is open-ended and is intended to get organizations up to the minimum—not optimal—levels of security, he said.
"This is a community that wants to do the right thing to improve security,”Adam Firestone, President and General Manager- Kaspersky Government Security Solutions
The roundtable was well-attended, actually hitting room capacity and spilling over. “This is a community that wants to do the right thing to improve security,” said Adam Firestone, president and general manager of Kaspersky Government Security Solutions, who attended the session. The community recognizes that the Framework can help. There is a lot of information available, and “the community is looking for guidance” on how to apply the framework, he said.
The extraordinary level of interest in the framework is just another aspect of the heightened concern over cybersecurity. “Everyone just wants to do the right thing,” Firestone said.