A wise man —a father figure to me— once explained that he would almost always begin mentoring on some need for change through encouragement. Encouragement failing, he would exhort. Exhortation failing, he would admonish. In the realm of cybersecurity, I perceive a similar approach in the relationships (or lack thereof) that private companies have with the regulatory agencies. Understanding this psychology should help companies proactively and strategically tailor their cybersecurity posture, rather than merely respond to threats and vulnerabilities.
The NIST Cybersecurity Framework is a good illustration.
One of the most frequently voiced concerns of stakeholders about the Framework as it was being developed was that it wasn’t truly “Voluntary,” as NIST marketed it. At the workshops held throughout the country, and on dozens of weekly and monthly working group calls, many worried aloud that regulators would begin enforcing “Compliance” with the allegedly-voluntary Framework, or that it would become the de facto standard of care in civil cases (i.e., not adopting the Framework would amount to negligence). Heated discussions banning the use of the word “Compliance,” and replacing it with “Conformance” ensued.
As these complaints were aired, I countered that we already had an ecumenical standard of care by variously applying ISO 27,001, NIST 800-53, PCI, and other control frameworks. The NIST Framework merely tied all these together. And what would the harm be, I wondered, in regulators adopting the Framework which had been developed in substantial part by private sector stakeholders, anyway rather than inconsistent, capricious, or arbitrary application of disparate standards? The Framework, I believed, wouldn’t become a new, additional regulatory hurdle, but would provide a common taxonomy and cohesive control set based upon industry standard best practices. Indeed, if a regulatory agency’s requirements were inconsistent with the Framework, they might be difficult to defend in a case like the recent FTC v. Wyndham, which results in a standard of care that everyone understands and can strive to attain.
Sure enough, reports began to trickle in that, for example, the FFIEC, a consortium of agencies that regulate financial institutions, was citing the NIST Framework in some of its regulatory examinations. ¬¬ And in June, 2015, when the FFIEC published it’s “Cybersecurity Assessment Tool,” it contained a mapping to not only the FFIEC Examination Handbook, but also to the NIST Cybersecurity Framework. Likewise, earlier this week, the FDA published Draft Guidance for the Management of Cybersecurity in Medical Devices. In it, the agency cited the 2013 Executive Order 13636 — Improving Critical Infrastructure Cybersecurity (requiring, among other things, that NIST develop a cybersecurity framework within one year), Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience, and the 2015 Executive Order 13691 — Promoting Private Sector Cybersecurity Information Sharing. All of these are binding upon the Federal agencies only, but as seen above with the Framework resulting from E.O. 13636, they are now affecting the regulation of private entities. And now the FDA appears to be incorporating the more recent E.O. as an exhortation on the private entities it regulates.
I believe the ultimate takeaway is this: savvy CIOs, CISOs, and governing boards have long recognized the importance of becoming proactively involved in the “voluntary” cybersecurity working groups, workshops, and other programs. They understand that developing a relationship with the regulators on terms other than an audit or enforcement action is beneficial. When the executive order came out, these leaders directed their staff to be part of the process, to provide comment, and to take part in the workshops. They personally attended the conferences where these programs were announced and they personally engaged senior staff within the agencies on the development and implementation of the programs.
Connecting this back to my mentor’s approach, these programs and executive actions arrived on the scene as encouragement. The FDA’s proposed statement (above) in its new guidance is an example of exhortation for those who did not heed the encouragement. And, finally, the admonishment will appear in the form of Matters Requiring Attention (MRAs), Corrective Action Plans (CAPs), fines, and myriad other enforcement actions. Be proactive, get involved, look for the encouragement, and plan accordingly.
Does cybersecurity fascinate you? Do you dream of a career in cybersecuity? You can do it!….Enroll in classes and explore your passion. The NCI through Excelsior College offers many degree options as well as certificates in cybersecurity.