Cybersecurity Programs Need Teeth (Beyond RMF)!

By Philip D. Schall, Ph.D., CISSP, RDRP

After the recent Colonial Pipeline and JBS Meat Processing ransomware attacks, I was approached multiple times by concerned friends asking if BAI could start offering cybersecurity training targeted towards private industry. My quick reply to these folks was that we have tried offering Cybersecurity Framework (CSF) training previously, and we received limited interest. CSF is essentially a cybersecurity framework that was created with a focus on critical infrastructure and then evolved to being applicable to all companies (private or public). CSF has a neat feature of providing its users the option to choose the control set they wish to use. The control reference options include COBIT 5, ISO/IEC 27001:2013, ISA 62443-2.1:2009, CIS CSC, and our favorite NIST 800-53.

I am not a CSF expert, but after talking to BAI’s CSF SME, Marilyn Fritz, I discovered that CSF is a very flexible and well created cybersecurity program that can be used by all
lines of business, and it is very approachable. I have since reviewed the most recent version of CSF and found it to be very easy to understand with documentation that is not as robust RMF. CSF is by no means RMF light, but unlike RMF which people often complain is very heavy reading with hundreds of pages of guidance, the primary CSF document is only 55 pages. The bottom line is that NIST has created a cybersecurity framework that is very easy to use and implement into every business.

If NIST has created CSF and many other free compliance programs are available why are companies continually getting hacked every minute at an alarming rate? I recognize scenarios such as these have a variety of elements at play, but I continue to be a firm believer that executives who are focused on shareholder returns still do not see cybersecurity training and the implementation of cybersecurity compliance programs as a top priority, and since they do not “have teeth” such as legal requirements these programs are not implemented as thoroughly as they should be.

For the past few years, a trend has existed where companies have purchased cybersecurity insurance with the thought that they are mitigating risk. With the uptick in attacks, recent data is indicating that the major cyber insurance companies are no longer paying out on cyber insurance if sufficient controls are not in place. I hope this is the beginning of the required compliance we need to encourage private industry to take cybersecurity seriously, but I am still concerned that too many companies will wait until it is too late to implement a program such as CSF in their organization. This brings me back to the initial topic of this article. BAI would love to offer CSF training regularly, but history shows that organizations will not pay for cybersecurity compliance and training unless it is a mandated requirement such as RMF. Beyond the business case of being Director of Training for BAI, I hope that C suite executives start making cybersecurity program implementation a priority instead of waiting to clean up messes that end up having long lasting financial and reputational impacts.


Post Categories: Risk Management Framework Tags: