Cybersecurity: Using NIST

Mike Maniscalco | Jun 04, 2020

Applying the National Institute of Standards and Technology Cybersecurity Framework to CEDIA Integration Businesses

As we discussed in the last blog post, cybersecurity is a broad and deep topic. It is also a constant game of cat and mouse -- meaning no connected system can ever be entirely or permanently secure. To find focus and enhance productivity, it is beneficial to take a strategic approach to cybersecurity. Such an approach involves addressing an organization’s most critical concerns, implementing security metrics, and making improvements over time.

The entire process can be modeled around the US Government’s National Institute of Standards and Technologies (NIST) Cybersecurity Framework. The creation of the Framework has been an excellent public-private partnership involving a diverse range of stakeholders including the technology industry, scientific and academic communities, and government.

The Creation of Common Language

The first version of the Cybersecurity Framework was published in 2014, and an updated version was released in 2018. The NIST Framework provides common language around cybersecurity priorities and actions. NIST is intended for organizations of all sizes to use and customize the Cybersecurity Framework to their specific needs.

For organizations around the globe, the Framework is excellent guidance because cybersecurity is an international problem with a universal language. CEDIA members can take advantage of the NIST Cybersecurity Framework's world-class knowledge, research, best practices, and structure for assessing and addressing cybersecurity within their organizations.

It is helpful to see where NIST has observed successful uses since publishing the initial Framework in 2014.

Over the past few years, NIST has been observing how the community has been using the Framework. These are some common patterns that we have seen emerge:

Leadership has picked up the vocabulary of the Framework and is able to have informed conversations about cybersecurity risk.

Organizations have used the tiers to determine optimal levels of risk management.

Organizations are finding the process of creating profiles extremely effective in understanding the current cybersecurity practices in their business environment.

Profiles and implementation plans are being leveraged in prioritizing and budgeting for cybersecurity improvement activities.

How You Can Implement the Framework

The NIST Cybersecurity Framework has five key functions: Identify, Protect, Detect, Respond, and Recover. By breaking down the Framework into more actionable pieces, organizations can evaluate current practices, develop stronger policies, and strengthen both processes and systems.

As the cost of security breaches continue to grow, protecting a breach before it happens is always much less expensive.

For those who are new to the Framework, a suggested starting point is the Identify function, which looks at an organization's assets, business environment, governance, risk assessment, risk management, and supply chain risk. For example, in the new CEDIA cybersecurity workshops, integrators begin by identifying all of the physical and software threats to their client systems, then consider system processes and data flow, determine their organizational risk tolerance, evaluate the resources available to invest, and finally prioritize where to allocate resources. The exercise is challenging because, at first glance, everything seems like a high priority, but through thoughtful exploration and collaboration, a business can create a strategy that enables them to tackle the highest risks first, measure impact, and improve with iteration over time.

The thought of achieving perfection around cybersecurity is often daunting and, frankly, can seem unachievable. Keeping this in mind, CEDIA is currently offering several new education opportunities to assist with the identification, evaluation, and prioritization of an integrator's current cybersecurity practices using the guidelines from the NIST Cybersecurity Framework. More specifically, CEDIA's new online learning courses will help integrators gain an understanding of cybersecurity basics.

I’ll leave CEDIA members with this final thought: As the cost of security breaches continue to grow, protecting a breach before it happens is always much less expensive. I encourage all within CEDIA as an industry to commit to improving cybersecurity best practices and to take advantage of the new resources available.

About the author: Mike Mansicalco is a longtime CEDIA instructor and volunteer who co-founded the remote monitoring firm Ihiji.