Internet Security Alliance President Larry Clinton praised the Obama Administration’s strategy to promote efforts to develop market incentives for improving cybersecurity, including simplifying standing regulations for “good actors and entities” who voluntarily adopt the fledgling NIST Framework.
“Traditional regulatory models will not work, and indeed will be counterproductive in strengthening our cyber security because it will detract needed resources from security and divert them to meaningless compliance programs,” said Clinton.
“The Administration has made great strides in its understanding of the differences between public sector and private sector cyber risk including a sophisticated appreciation of the economics of cyber security,” said Clinton, who also noted that research continually demonstrates that the key challenge in securing critical infrastructure is economic in nature, not technical.
Clinton made these comments at a special DHS sponsored session on Incentives for Cyber Security at the annual WEISS conference on the economics of cyber security at Penn State University, where he lauded DHS Assistant Secretary for Cyber Security Dr. Andy Ozment for his recent call for more sophisticated analysis of the implementation of the NIST Framework.
“Dr. Ozment is absolutely correct that, while anecdotal reports about use of the Framework are nice, they do not provide the level of data we need to evaluate our primary initiative in shoring our nation’s cyber weakness,” Clinton said.
“In order to assess our success we need to first define what success means, and we have not yet done that with the NIST Framework. We need a systematic and collaborative process to assess the utility and effectiveness of the Framework.”
The NIST Framework aims to consolidate controls like ISO27k, NERC CIP, COBIT, the Top 20 Critical Controls and others into one streamlined document to produce a security capability maturity model that will be propelled by stakeholder-driven incentives that encourage voluntary adherence.
Clinton noted that ISA had been calling for a more systematic assessment process since the Framework was released last February, including providing a detailed plan for beta testing the Framework and assessing its cost effectiveness.
“The administration has made progress in articulating the need for a voluntary approach, the need to create incentives and the need for a better assessment process, we are optimistic we will continue this progress as we develop more sophisticate methods to evaluate the utility and effectiveness of the Framework,” said Clinton.
The ISA is a multi-sector trade association representing the interests of some of the biggest companies in the nation, and has long championed the market incentive approach to adoption of better security policies as opposed to penalty-based regulatory mandates, but it is still unclear how the NIST Framework can achieve this end.