Since its inception, the non-profit Council on CyberSecurity has been actively participating in the development of the Cybersecurity Framework. And our Critical Security Controls are called out as one of the “Informative References”.
Even at this early stage, the Framework has come to dominate the national conversation about cybersecurity for the critical infrastructure (and beyond), and we believe it represents an important step towards large-scale and specific improvements in security for the nation.
The Framework is true to its name (“a set of principles, ideas, etc. that you use when you are forming your decisions and judgments” – the MacMillan Dictionary), and it provides a way to organize, conduct, and drive the conversation about security goals and improvements, for individual Enterprise and across communities of Enterprises.
But now the hard work of taking action begins. For the Framework approach to be successful, we - the extended community of stakeholders across the private sector - must see this as our framework, one that requires active participation. We must extend the ideas of the Framework to help Enterprises identify risks and take action, and also build a self-supporting community that learns and shares ideas that work, and identifies and removes barriers.
This is right in line with the model that drives the Council on CyberSecurity (“Making Best Practice Common Practice”), and so we proudly announce our partnership and support for CFORUM – the Cybersecurity Forum. A community-led activity needs a place and a means to gather and share, so let’s start here. Please join us!
There’s been a flurry of activity around the NIST Cybersecurity Framework over the last year, driven by the NIST RFI and the responses, as well as the Workshop. These events highlighted many common themes, including the desire for more sharing about best practices, more gathering of resources, and ongoing consideration of industry feedback. As NIST maps out the roadmap for Framework evolution, it is more important than ever for the industry to speak up. Our friends at NIST have always been clear about their role – they are conveners and organizers of the process, but our industry needs to own this and to drive the evolution.
And as the best available open public discussion forum about the Framework, it is time for CForum to fulfill its potential. We need to grow this from a well-intentioned but low-traffic discussion site into “must-see IT” about the Cybersecurity Framework. The place where people and enterprises share stories, ideas, resources, feedback. Your comments from the Workshop notes and the RFIs were loud and clear – the need is there – but it’s up to folks like us to do something constructive to make it happen.
So here’s my part – I’ve agreed to be the volunteer Executive Director for CForum. I’d describe it as a combination of instigator, cat-herder, and maybe catalyst for conversation. I’ve spoken to many of you across the industry, and there’s a general feeling that the Framework has become the closest thing around to a universal discussion baseline, but we need a way to focus, share, and drive this conversation. And through my “day job” with the Center for Internet Security, I’ll share the work that we have done to align with the Framework.
Your part? Speak up, share your stories, ideas, even your frustrations with the Framework. As a friend once told me, “you’re not writing the Federalist Papers” – write down what you think, let the ideas flow, and see what happens. And grab your industry friends and colleagues to bring them into the CForum discussion.
The cybersecurity problem is real, and it affects us all. After 40 years in this business, one thing I truly appreciate is the chance to work with so many talented people of good will. But that’s not enough - we also need to get organized, and get focused on action. Let’s start here!
--Tony Sager Center for Internet Security