Skip to content ↓ | Skip to navigation ↓

The National Institute of Standards and Technology (NIST) introduced a the Cybersecurity Framework  on February 12th, 2014, and while federal contractors must demonstrate some form of adoption, the framework is completely voluntary for organizations in the private sector.

Tripwire has released the results of a survey of attendees at the RSA Conference USA 2014 in San Francisco who, when asked “should NIST offer tax incentives to the private sector to increase adoption of the NIST Framework,” 72% of survey respondents said “yes.”

The Framework initiative was prompted by President Obama’s Executive Order issued in February of 2013, and is designed to be a broadly applicable security standard that allows for flexibility to accommodate a range of industries already subject to numerous regulatory mandates.

“It’s encouraging that security professionals are optimistic about the potential of a tax incentive to drive adoption of NIST cybersecurity framework. However, in spite of the potential ‘carrot,’ I suspect a lot of private sector organizations will only pay lip service to the NIST framework until there is a ‘stick’ to motivate them,” said Dwayne Melancon, chief technology officer for Tripwire.

“That said, there have been many discussions among private sector organizations regarding the possible use of the NIST cybersecurity framework as the ‘standard of care’ against which organizational security efforts will be measured,” Melancon continued.

The Framework aims to consolidate various controls like ISO27k, NERC CIP, COBIT, the Top 20 Critical Controls and others into one streamlined document to produce a security capability maturity model that will be propelled by stakeholder-driven incentives that are meant to encourage voluntary adherence.

The Tripwire survey examines the views of more than 150 infosec professionals at the annual security conference, and the strong support for tax incentives for Framework adopters provides some hope that the private sector is willing to engage if they are incentivized.

“If corporate boards and lawyers get involved, in addition to a tax motivation, the resulting momentum could be enough to significantly change the adoption curve,” Melancon advised.