Americas

  • United States

Asia

Oceania

Contributor

How can my cyber program benefit from a standards-based approach?

Opinion
Dec 05, 20173 mins
Security

As a former CSO of a multinational corporation, I’ve always been on the hunt for more resiliency and best practices. In my effort to strengthen global cybersecurity programs, here are the conclusions I came to.

The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is starting to motivate action from not only U.S. federal agencies, but also from U.S. businesses. Recent cyberattacks and breaches have resulted in heightened private sector awareness, which is driving businesses to reevaluate how they can reduce enterprise risk. As a former security executive of a multinational corporation, I have always been on the hunt for more resiliency and best practices, so I can relate.

The National Institute of Standards and Technology’s Cybersecurity Framework, formally titled The Framework for Improving Critical Infrastructure Cybersecurity, can overwhelm even experienced security professionals with its inherent complexity. Yet, increasingly, it is recognized as a national gold-standard. Its popularity and support is apparent: 30 percent of U.S. businesses have adopted the framework as of 2015, and that number is growing rapidly. According to Gartner, over 50 percent are projected to adopt by 2020. The NIST CSF builds upon existing frameworks, and was created by over 3,000 public and private security professionals.

The framework is a risk-based approach to managing cybersecurity. NIST further states that its purpose is to create a common language for cyber that unifies the conversation around enterprise risk and security. Some organizations are even requiring their vendors to adopt the framework as they scale. Likewise, financial and healthcare companies are also realizing the importance of securing their data following this set of best practices. Europe, too, clearly sees the value of the framework as they look to it while finalizing the NIST Directive.

When I left my position as a global CSO to start a company, I set out to accomplish one goal. I realized that the framework’s nature—by far the most comprehensive approach—necessitates that is also the most complex. Its five core functions: identify, protect, detect, response and recover, are a blueprint to mitigate cyber risk. Implemented properly, an organization will have the most powerful set of tools and procedures in place. In a sense, the Framework is a dynamic Deming cycle—continuous, logical and always learning.

After years of fighting to harden systems, I came to a pair of key conclusions. First, cyber must be managed proactively and not reactively. This leads to the second conclusion: companies have to be strategic when building their programs. As business leaders, there is a substantial responsibility to execute and keep our companies breaches. The pressure is real, and we see it regularly in hacks that damage revenue and reputation. A proactive information security professional will certainly stay informed and advocate for increased resilience via a standards-based approach. As noted above, the NIST Cybersecurity Framework is by far the most comprehensive framework, but it is also the most complex to navigate.

In another article on our CSO blog, our co-founder Scott goes into detail about how to simplify NIST Cybersecurity Framework adoption. More strategies to ease adoption will also be published here in the future. In the meantime, you can also access my free NIST Cybersecurity Framework on-demand webinar as a resource, which details a quick and powerful approach to begin implementing the framework.

Contributor

George Wrenn is the co-founder of privacy startup ZenPrivata and founded and served as CEO of CyberSaint Security--a leading IRM/GRC company. Prior to CyberSaint, he served as the VP/CSO globally for Schneider Electric. He has more than 30 years of experience in the field of cyber security, privacy, spanning technology, policy and management.

Prior to the present role, George was as a senior managing consultant with IBM helping cross-industry Fortune 1000 customers reach compliance to NIST, FISMA, ISO/IEC, HIPAA, PCI, NERC/CIP, and other key regulatory frameworks. He developed cybersecurity strategy, roadmaps, and global cybersecurity programs. He is also an expert in cloud security and has been awarded US patents in this area.

George served as director of security for a fully regulated financial services company, where he managed regulatory compliance efforts and the internal security office, protecting over $99 trillion in stock market transactions yearly. He later led cybersecurity product management and business improvement projects at RSA Security and EMC Corp.

George has been a graduate fellow at the MIT Sloan Management for four years, spent two years at the MIT Media Lab, and spent one year with the MIT ESD. He completed Harvard Business School Executive Programs focused on NPD and creation of new services & methodology, and received his B.A. from Harvard as well.

George has had a NSA sponsored ISSEP credential, a Certified Ethical Hacker (CEH) and CISSP for more than 12 years. He is a Six Sigma Black Belt and has Kaizen facilitator certifications. George has experience working with the complex Cloud, Government, IT, ICS, audit and national regulatory frameworks. He was also a mission oriented Operations Officer and SAR/DR Pilot (Officer 1st Lt. USAF/Aux).