Remarks at Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy

[As prepared.]

Wow, that was quite a packed afternoon.

Today, we learned about:

• some of the barriers you face in implementing cost-effective cybersecurity and privacy protections; 
• your views on the practicality and utility of current research efforts in areas such as risk modeling, privacy-enhancing technologies, and usable security; and we've gained
• valuable new insights and effective ways for government, industry, and academia to collaborate on cybersecurity challenges facing consumer-facing organizations.

I'd like to thank Stanford University for hosting us—and for their invaluable contributions to today's discussions about meeting the real-world cybersecurity challenges of consumer-facing organizations. 

What we heard today reinforces that cybersecurity has become too important to our economic health, both for individual companies and as a nation, to be left to the experts alone. 

Protecting our IT assets and data is both a technical and a leadership challenge. We're very pleased to have an opportunity to gather so many representatives from industry for such an in-depth discussion of the challenges associated with implementing advanced cybersecurity and privacy technologies in real-world conditions. 

We are grateful that all of you have made the time to participate today and hope it helps all of us take a fresh look at how we can protect our organizations and our customers. 

Speaking for NIST, I know that today's workshop has given us a better understanding of your cybersecurity concerns and business requirements that will help ensure our future approaches are practical and achievable.

As a result of this workshop, we're also in a better position to prioritize your challenges and responses from the federal government and other resources.

As you know, NIST is all about standards and best practices. 

As an agency, NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Over the years, this has ranged from projects related to the Smart Grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips.

As part of that mission, we're actively engaged with industry, academia, and other parts of the federal government to coordinate and prioritize cybersecurity research, standards development, standards conformance, and cybersecurity education and outreach. Often, this work is done through open sessions such as this.

As we know, under the Executive Order that is a year old today, NIST is working with industry on the development of a framework to reduce cyber risks to critical infrastructure. The framework is a set of core standards, methodologies, procedures, and processes that will be applicable across sectors for the full range of quickly evolving threats.

NIST's role under the framework is to provide structure and technical expertise, but not to choose or develop particular standards and technical solutions. Standards and technical solutions, however, do not improve our cybersecurity posture until they are implemented. For the vast majority of consumer-facing organizations, any cybersecurity implementation must be voluntary—and, therefore, must be consistent with and a part of business practices.

NIST's National Cybersecurity Center of Excellence [NCCoE] operates in that space where standards and best practices come up against the demands of business environments. The NCCoE is a hub where people from small businesses, market-leading companies, government agencies, and academia work together to address broad cybersecurity problems of national importance.

As we've learned through each of our sessions today, strong cybersecurity is the key to strong bottom lines and a strong economy.

Thank you all. I'll look forward seeing the results of our combined efforts.