In 2013, breaches were a major concern that captivated the attention of the public. One notable breach was Edward Snowden’s leak from the National Security Administration (NSA), which dominated news stations, magazines, and newspapers. Over the next few years, breaches continued to make headlines as companies such as Sony, eBay, and the Internal Revenue Service fell victim to cyberattacks.
However, in recent years, breaches of a similar scale and magnitude seem to only capture the public’s attention for a day or two. While certain reporters may cover and investigate specific outcomes, the general public’s focus quickly shifts elsewhere. Some may argue that this is due to people having more stimulation and shorter attention spans, but the reality is that breaches have become commonplace in today’s business landscape. The frequency of these breaches has diminished their impact on companies, but organizations must still take action to prevent and address these threats.
Enterprises are now turning to the National Institute of Standards and Technology (NIST) Cybersecurity Framework for guidance on making necessary changes. NIST has been actively involved in cybersecurity for a considerable amount of time, first releasing its framework in 2014 when high-profile breaches were a major concern. While NIST is highly respected, the private sector has not fully embraced its framework, primarily because there are no significant repercussions for not doing so, and there are currently no relevant certifications available.
It is essential for enterprises to actively adopt the NIST Framework and incorporate it into their systems to enhance overall security. Unlike federal agencies that can face penalties for not following the framework, private businesses need to prioritize its implementation voluntarily. Although it requires time and resources, especially considering its continuous updates, private businesses must take accountability for being good stewards of cybersecurity by adopting the NIST Framework.
To reinforce the importance of the NIST Framework in the private sector, a NIST certification should be established based on how well organizations integrate its guidance. This certification could follow the model of the International Organization for Standardization (ISO), which offers specific standards and certifications based on an organization’s compliance with those standards. While NIST may not have the capacity and resources to undertake such an endeavor, allowing a third-party to evaluate and rate cybersecurity frameworks against NIST’s standards can significantly improve the overall cybersecurity environment. Companies can rely on NIST’s research and unbiased monitoring to identify measures that need to be implemented to enhance security.
It is important to note that incorporating the NIST Framework into an organization’s systems does not guarantee the discovery of a hidden, magical solution to cybersecurity challenges. However, in an industry that emphasizes collaboration and the use of open-source technology to enhance cybersecurity, following NIST’s guidance seems promising. Treating the NIST Framework as a requirement, even without the authority to enforce it, and considering its stamp of approval as a highly respected certification, can propel the security sector forward in a united effort to combat cyber threats.