The April 3 workshop was mobbed, the Department of Commerce auditorium was filled to capicity. I assumed that it would be thinly attended like the meetings of the Federal XML work group; but there must have been something like 500 people there. Clearly people are interested and are planning on following the process very closely. I hope that means that we will build a better standard that gains broad compliance.
This workshop was designed to gain industry's perspective. The first panel had Russell Schrader of VISA, Terry Rice of Merck, Michael Paypay of Northrop Grumman, and Reid Stephan of St. Lukes Health System.
Russell Schrader of VISA described the Executive Order as sensible, and was pleased with the request for private sector feedback. He also expressed the need for international cooperation, and that there is so much more to be done.
Schrader described security as being core to VISA's brand promise. He reminded that audience that VISA as one of the founding members of the Payment Card Industry Council, and suggested that PCI offers a template for cyber security coopoeration. He described the PCI system as scalable from the small merchant to the large.
Schrader described cyber security as a continuing process, that there is no box to be checked. He described VISA's approach as Prevent, Protect, and Respond, saying that, "we try to stop trouble before it begins."
Schrader called on NIST to build on what already exists and aim for global scalability. He was especially concerned that NIST not create contradictory procedures.
He stressed the need for information sharing, and that it was necessary to create a legal framework for law enforcement. (I assume that he meant over and above the work of NEIM.)
Michael Paypay, Chief Information Security Officer for Northrup Grumman, described his work as "where the rubber meets the road". He said that it was extremely important to Northrup protect the information that the government has entrusted to them.
Paypay described the defense industry as having a collaborative approach, going on to describe himself as "representing all my aerospace brothers." He said that cyber security not an area where aerospace competes, but rather they cooperate.
Paypay observed that there is no common lexicon of roles and responsibilities in cyber security. He also said that bench-marking against other people can be a problem. He described government "best practices" as very helpful, in particular NIST 800-53.
He said that it was important to identify what is appropriate for your business, going on to say that you cannot simply protect protect your perimeter; but that it was necessary to build a layered defense, and go through each layer in order to identify risk.
Reid Stephan said that it had been an eye opening experience to join health care industry, we are catching up to other industries. He said that the National Health ISAC looks to existing standards such as the 800-30 guide to risk assessment. He suggested that it was better to integrate existing standards and best practices rather than building something from scratch.
Stephan pointed out that cyber security risk management had to be balanced with business risk management, going on to say a risk based approach rather the control based approach would be more practical.
Stephan lamented the lack of robust intra and inter industry collaboration, and that the framework needs to address this sort of collaboration. He went on to observe that the cyber security framework will will never be finished, but become a dynamic standard.
Terry Rice of Merck thanked Commerce and NIST for hosting the workshop. Rice pointed out that life sciences, including pharmaceuticals, has been identified as critical infrastructure. The pharmaceutical industry is already working with DHS to protect their information.
Rice reiterated the point others had made, that cyber security is not binary - as in one is not either secure or insecure. He lamented lack of metrics for risk assessments and said that NIST is in a good position to help with this.
Rice said that in 2005 the pharmaceutical industry established a not for profit organization to establish digital standard standard for a bio-pharma digital signature. He said that security required authenticity, that is non-repudiable information. He described the NIST-800-63 guidelines as useful.
He reminded the audience that the DEA has established a standard for doctors' digital signature for controlled substances. Rice also spoke about the need for anonymity for persons searching for information about sensitive medical conditions.
Rice pointed out the need for skilled workers, lamenting that computer security is not a required for computer college students.
Rice echoed others call for an international approach, for example, how would the cyber security framework apply to a foreign owner of critical infrastructure?
He said that we have to include privacy as part of the framework. In this he underscored the Executive Order's inclusion of the federal government existing privacy guidelines.
At this point Patrick Gallagher opened it up for a general discussion asking, "How do we support adoption? How should the framework think about supporting adoption?
Michael Paypay said that everyone in the company has to be trained in security. He said that Northrup Grumman's spear phishes their own employees, providing remedial training for people who get it wrong.
Both Stephan and Rice pointed out that good compliance does not equal security. It is necessary to make sure that people understand, and you have to tread carefully when dealing with doctors.
Schrader said that you have to make sure people understand the need for security procedures.
Gallagher asked Schrader how VISA persuades its service centers and merchants be compliant. Schrader replied that VISA merchants are looking for something to implement that makes sense for their situation.
Panelists agreed that we need safe guards around data, whether in storage and transit.
Paypay observed that not all threats are the same. DDoS not affect business like Northrup Grumman as "we don't do business through the website."
Panelists agreed on the need to establish common vulnerabilities and not create new standards where there is an existing one.
Terry Rice talked about the need for metrics to measure and manage risk.
Gallagher asked the panelists how they talked about risk, and their bosses role in risk management, "how do you make cyber secuirty relavent to the C Suite? Schrader replied, "look at the daily paper, you can't run a company without knowing about these incidents, education not necessary at VISA."
Reid Stephan said that one "can't take a fear approach." It is necessary to have a consistent process to measure risk, and establish a relationship and seen as a partner, that gets you a "seat at the table."
Michael Paypay said that at Northrup-Grumman "we are lucky because our executives understand this. Also, our customers are highly educated about cyber security- they don't have a cut and dry practice for security."
Gallagher pointed out that in the US the government does not establish cyber security standards - "how can we exploit the fact that we work together?"
Schrader said that "you don't want to codify standards" because of the continuing changes in IT.
The next Cyber Security Framework Workshop will take place in Pittsburgh from May 29 through 31
Cyber Security Framework website
Grant Gross: US NIST: Industry should lead creation of cybersecurity framework
Brian Browdie: Cybersecurity Framework Demands Input from Industry, Official Says
J. Nicholas Hoover: No Bold Moves On U.S. Cybersecurity Framework
Jason Miller: NIST, industry begin journey to develop cyber framework
Molly Bernhart Walker: NIST sorting comments on cybersecurity framework