White House Releases New Cybersecurity Framework — But How Will Businesses Respond?

On February 12, 2014, the White House finally launched its Cybersecurity Framework, making good on some of the promises of the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced during his 2013 State of the Union address. Though not a permanent answer to the problem of infrastructure cybersecurity in the United States, the Cybersecurity Framework is a first step toward securing our nation’s technological infrastructure.

How will businesses respond? Though the White House has yet to sweeten the deal with financial incentives like tax breaks, companies are expected to embrace the recommendations of the Cybersecurity Framework voluntarily. Implementing stringent cybersecurity practices benefits companies and protects profits.

What the Cybersecurity Framework Is — And Isn’t

The Framework establishes a set of guidelines to help companies understand and manage their cybersecurity risks. It is useful not only for organizations that are just getting into the cybersecurity game, but for organizations that already have some level of cybersecurity in place. In addition to helping companies and organizations manage their cybersecurity risks, the framework also provides some guidance regarding civil liberties issues and privacy considerations.

The Framework consists of three components: the Framework Core, Profiles and Tiers. The Framework Core consists of five general categories all companies must consider when securing their technological infrastructures: identify, protect, detect, respond and recover. Profiles can help companies form a clearer picture of their cybersecurity needs, priorities and goals. Tiers provide guidelines for different levels of risk management implementation, depending on a company’s needs.

The Framework is not regulatory. It does not tell companies what to do or what to buy, but merely gives them a set of guidelines for implementing cybersecurity practices already considered standard in the industry. When you go to school online to earn a Bachelor of Science in Cybersecurity, these will be the security infrastructure standards you will learn to implement.

Will Businesses Adopt the Framework?

Critics point out that the Cybersecurity Framework doesn’t offer any financial incentives, like tax breaks, that could entice most companies to adopt the new guidelines. However, the White House, among many others, believes that companies won’t need financial incentives in order to get on board with the new framework.

For one thing, the Cybersecurity Framework isn’t the work of stodgy politicians who may or may not know what they’re doing. Its recommendations are the work of more than 3,000 industry professionals and organizations working with the National Institute of Standards and Technology (NIST). Furthermore, the Cybersecurity Framework is in companies’ best interests. Companies need strong cybersecurity infrastructures, and they know it. Many industries welcome the standardized cybersecurity practices the framework provides.

The tech industry, for example, has been less than pleased with the NSA surveillance debacle. Tech industry leaders say that the news of NSA surveillance has hurt their markets abroad, where consumers are skittish about buying potentially compromised American products. It is hoped that the Framework’s civil liberties and privacy protections will help to restore some of those markets.

The Software & Information Industry Association (SIIA) released a statement congratulating the NIST for its work on the Cybersecurity Framework. SIIA President Ken Wasch said, “A critical cybersecurity priority for SIIA is to preserve IT innovation and technology neutrality, and we are confident that this framework will help achieve those goals.”

AT&T CEO Randall Stephenson agreed that cybersecurity is a priority for most companies. “There is nothing more brand affecting for a company like AT&T than cybersecurity and exposure in cybersecurity,” he said.

Even though the framework is not regulatory in nature, its guidelines may well become the de facto standard for private cybersecurity infrastructures under U.S. law. Its implications go much further than protecting companies’ bottom lines; it’s the first step toward shoring up America’s teetering cyber defenses. More than 45.1 percent of defense leaders think that cyberattacks and cyberwarfare are the biggest threat the United States faces today.

The White House’s Cybersecurity Framework, launched earlier this month, is expected to be widely adopted by private industry leaders, despite the lack of any corporate financial incentives attached to the plan. Many industry leaders recognize the inherent value of implementing solid cybersecurity measures. These days, customers need to know that the companies they do business with are guarding their personal information and payment information closely.

Leave a Reply