Donna Dodson, Chief Cybersecurity Advisor for the IT Laboratory at the National Institute of Standards and Technology (NIST), reflected today on the success of the agency’s cybersecurity framework and its contributions to cyber interoperability.
“When you think about something like the cybersecurity framework, you start to understand what outcomes you’re looking for and then what standards help you get there,” she said at a Feb. 4 Center for Strategic and International Studies event.
“We do have to get a grip on this [interoperability] so that we are implementing the needed security controls throughout the organization in ways that meet both the business objectives and the security objectives at the same time. They’re not two separate objectives, as we’ve treated them in the past,” she said.
The value of NIST frameworks, she said, is letting organization create cybersecurity rules in a voluntary way. The framework gives stakeholders the right set of tools to have security conversations while keeping their respective business objectives in mind.
“Activities like the cybersecurity framework really helped create an opportunity where we could have strong business rules in an organization and between organizations … We need to continue to do this because, let’s face it folks, we’re living in pretty exciting times with the way technology is taking off today,” she said.
Dodson shared a personal experience where interoperability around the language of cybersecurity would have saved her some confusion. Working with health care IT professionals at the National Cybersecurity Center of Excellence (NCCoE), acronyms and abbreviations in the cyber and health fields overlapped but held different meanings.
“I have to have that understanding with language first and foremost before I can have a good dialogue on how we would use both physical access control and digital access control to help protect radiological kinds of environments in healthcare. I can’t expect them to come to my world,” she said.
Now, NIST is focusing on helping organizations balance cybersecurity and risk management alongside this framework. Dodson teased a forthcoming workshop that will explore “how we can bring better risk management into our world of technology and cybersecurity so it brings together the work that we’ve done.”