How Cost-Effective Is the Cybersecurity Framework?Different Perspectives on What the NIST Framework Should Offer
President Obama, in his executive order directing the National Institute of Standards and Technology to develop the cybersecurity framework, pointed out that the framework should offer a "cost-effective approach" to help organizations that support the nation's critical infrastructure identify, assess and manage cyber-risk.
To Larry Clinton, president of the trade group Internet Security Alliance, that means future versions of the cybersecurity framework should provide tools to enable users to conduct a cost-benefit analysis of framework components to see if they're a worthwhile investment.
Larry Clinton discusses the lack of a cost-benefit analysis for the framework.
But the federal government's point man on the framework, Adam Sedgewick, sees it differently, saying the value of the framework - a collection of existing standards, guidelines and practices - is in getting organizations to ingrain cybersecurity into their business activities, a process that would help drive organizational efficiencies.
"The framework is a 41-page document," says Sedgewick , a senior IT policy adviser at NIST. "It has a lot of guidance on how organizations should develop a cybersecurity program. ... There are a range of things that are important that we don't mention."
IT Security: Good for Business
Sedgewick points out that Patrick Gallagher, who headed NIST when the agency began developing the framework in 2013, said practicing IT security is good for business. "In a way," Sedgewick says, "this should be a factor in almost all of the organization's business decisions. And, that's what we're trying to get ingrained. ..."
The framework is a resource that organizations can tailor to their IT security needs, and it would be difficult to conduct a cost-benefit analysis of implementing specific IT security solutions, Sedgwick contends. "Organizations should use this as they think about how to manage risk, but they shouldn't treat it like every item is a must-do," he says.
But Clinton says the government, and its private-sector partners, should reconsider their thinking on providing a cost-benefit analysis if they want more organizations to adopt the framework. He says businesses would voluntarily adopt the framework if they knew it would be "cost beneficial to their organization."
"When entities who do not currently use best practices and standards look at the framework, they are not informed as to what elements of the framework are going to be cost-efficient for them," Clinton says.
Beta Testing the Framework
Clinton suggests that one way to determine the value of framework components is for the government to get organizations with weak or no cybersecurity to test them. "We ought to do for the framework what every private-sector entity would do if it were deploying an important new product or service, which is you beta test it," Clinton says. "You go to your target audience and you try it out on them."
NIST issued the original version of the framework last February and is planning to publish version 2 early next year. It's holding a workshop in Tampa, Fla., this week with stakeholders to discuss how the framework should evolve. Sedgewick doesn't rule out incorporating new tools into the framework - but he says additions tied to providing a cost-benefit analysis are unlikely anytime soon. None of the sessions listed in this week's workshop agenda address analyzing the cost of implementing the framework.
Correction: An earlier version of this story cites Sedgewick as referring to cost-benefit analysis as one component not contained in the cybersecurity framework. Though cost-benefit analysis is not in the framework, Sedgewick, in his comment, was referring to cyber-insurance. The quote should have read: "The framework is a 41-page document. It has a lot of guidance on how organizations should develop a cybersecurity program. But the fact that we don't mention [cyber-insurance] isn't indicative of anything. There are a range of things that are important that we don't mention."