Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

"Board Agenda: CYBER" Conference

[As prepared.]

Good morning everyone! I've been looking forward to this conference.

I'm delighted to be here in part because it gives me a chance to catch up with Dr. Reatha Clark King. Dr. King and I discovered last year that we both began our careers as chemists at what is now the National Institute of Standards and Technology, or NIST.

And at that time, we found that we have family connections, as well!

But most relevant for this gathering, our organizations have a mutual interest in helping America's businesses to better manage cyber risks. So I thank Dr. King, along with Ken Daly, and Jim Dinegar for putting this session together.

This morning, I want to speak with you about cybersecurity in the context of how we all manage risks.

In doing that, I want to look beyond the daily drumbeat of bad news about cyber intrusions. And I want to put aside the conventional wisdom that cybersecurity is mostly the realm of Chief Information Officers, or Chief Information Security Officers, or any other chiefs, for that matter.

Most of you, like me, are not IT experts. And yet as CEOs, board members, or other senior leaders of your organizations, managing cyber risks is one of the most important things you can do to protect your assets, your customers, and your companies.

Today I want to convince you that there are practical, understandable, and scalable approaches that your businesses can take to reduce your risks. And I want to suggest that you and your organizations consider using a new tool to manage these growing cyber risks — a tool that a number of your colleagues and competitors are already using.

Cybersecurity Framework Basics

I'm referring to the Cybersecurity Framework that NIST developed beginning in February of 2013 in close collaboration with the private sector, including many organizations here with us today.

In that sense, the title of this session—"The Federal Government: Expanding Cyber Role"—is a bit of a misnomer, because this Framework is entirely voluntary. NIST has no regulatory responsibility in this space—nor any other for that matter! And because it's been created as a truly cooperative effort involving about 3,000 participants from industry, academia, and government.

We held multiple workshops and webinars throughout the country in 2013, fulfilling part of an Executive Order the President issued early that year aimed at protecting our nation's critical infrastructure.

NIST was selected to develop this Framework because of both our long history in cyber risk management and our track record of working cooperatively with industry.

And again—because we are not a regulatory agency.

So what is this Framework all about?

It's a collection of existing standards and best practices that have been proven to help protect IT systems from cyber threats, ensure business confidentiality, and protect individual privacy and civil liberties.

The Framework sets out basic guidelines to help organizations better understand and prioritize their cyber risks. And then it suggests specific cybersecurity "best practices" most relevant to those risks.

The Framework is organized around five basic functions: Identify, Protect, Detect, Respond, and Recover.

You may have noticed that I did not use the word prevent. There has been a notable shift in the last few years away from thinking we can completely prevent bad things from happening. Instead, the goal is a balanced approach that both protects and quickly detects when something is amiss. And it's one that emphasizes being prepared with a strong response and recovery plan.

The Framework provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. It serves as a bridge between business leaders at all levels—beginning with the boardroom and the C-suite and continuing up and down the supply chain and across industries.

It can be used by companies that are part of the critical infrastructure—or any other firms—in any other part of our expanding Internet-based Digital Economy.

I can assure you that it's very user friendly—and appropriate for higher-level officials in any organization. We designed it that way thanks to feedback from business leaders like you.

The Framework is a grand total of 39 pages—and that includes references. The basics are contained in just over five pages, and none of that is IT-speak.

The Framework is Working

It's all well and good to have a Cybersecurity Framework—but only if it's being used. There is good news here!

The Framework is being used across the country, in a host of sectors, and by organizations large and small, ranging from multinationals to startup firms.

Early adopters include companies and sectors vital to our nation's infrastructure—including financial services, communications, power, water and wastewater, chemical facilities, and transportation.

But it's also being used by others—even fast-food restaurants. Come to think of it, I guess—given our go-go lifestyles—they are part of the critical infrastructure, too!

We see companies like Intel, Chevron, Walgreens, Pepco, Apple, QVC, and the Bank of America talking about how they are using the Framework or planning to incorporate it.

But we also see 50-person firms, like Silver Star Communications in rural Wyoming, describing how the Framework has helped them to be more thoughtful and wiser managers of their cyber risks.

We see companies like IBM, RSA, CA Technologies—all global in size and scope; and we see very small firms, like Rofori, offering products and services tied to the Framework.

The Department of Homeland Security and the University of Maryland have produced tools that incorporate the Framework. Major insurance companies and auditing firms are seriously considering using the Framework for evaluating clients and would-be clients.

And I don't want to forget the federal government. For example, the Department of Commerce—which includes NIST—is using the Framework to inform and communicate its cybersecurity risk management.

Guidance for Implementing Framework

Communities of interest and associations have been sharing practical advice to help organizations use the Framework. That includes

  • the Department of Energy, 
  • the American Water Works Association, 
  • the Information Systems Audit and Control Association, and 
  • the Information Security Forum.

Among the most noteworthy is guidance aimed at telecom-sector boards of directors from the FCC's Communications Security, Reliability and Interoperability Council.

Likewise, the Securities Industry and Financial Markets Association (SIFMA) is now beginning to leverage the Framework to provide a consistent auditable standard.

Guidance that Incorporates the Framework

Other groups are incorporating the Framework as part of their own cybersecurity guidance. This list includes 

  • The Conference of State Bank Supervisors 
  • The FDA, which has a guide on Management of Cybersecurity in Medical Devices 
  • The Financial Industry Regulatory Authority 
  • And, of course, there's NACD's Cyber-Risk Oversight Handbook prepared for board directors last year in cooperation with AIG and the Internet Security Alliance.

International Interest

There is international interest, as well.

Many companies told us they were concerned about the growing diversity of cybersecurity requirements around the globe.

I'm pleased to report that UK and European Commission representatives have spoken favorably about the NIST Framework and about how our approaches could be aligned with theirs.

The Japanese have translated our Framework. We've met with officials from China, South Korea, Australia, multiple European nations, and others. We're encouraging them to consider the Framework approach.

The goal is to get closer global alignment. We know how important that is to companies in the global marketplace, and we'll continue to work hard on this effort, teaming with other agencies and associations as necessary.

Conclusion

The NIST Framework is a very visible effort right now.

But there are a host of other initiatives under way across the federal government to address cybersecurity.

These include better sharing of cyber threat information, an issue the President has acted upon several times just within the past year.

At NIST, we're working on better ways for ensuring identities online, quantum encryption, and many other advanced research efforts in our Information Technology Laboratory and in our cooperative programs with others.

We are involved in extensive efforts with stakeholders from all over the world to enable not just smart electrical grids but smart cities. The Internet of Things promises to enable a future where interconnected devices and sensors securely share information to optimize everything from trash pickup to coordinated responses to major emergencies.

All of these efforts are important. But my main message for you today boils down to two things.

First, cybersecurity is too important to be left to your IT department and operations groups. Cybersecurity must be a core issue for your corporate executive team. It can literally make or break your company. And that means your leadership is critical to ensuring that your companies spend the time and resources necessary to manage this risk, just like you manage financial and legal risks.

Second, every executive should be able to communicate persuasively about the importance of cyber risk management. If you want to improve your skills, please read the NIST Cybersecurity Framework. As I mentioned earlier, it was written expressly for corporate leaders. It's easy to find on the NIST.gov website.

It can help you assess the maturity of your company's current cyber programs and then guide you to a set of best practices that prioritize, manage, and reduce your risks.

And, above all, do your shareholders and yourself a favor. Know that there are systematic proven best practices for addressing cyber risk and insist that your companies use them.

Your company's survival could depend on it. Thank You!

Created April 17, 2015, Updated December 29, 2016