Will the NIST Privacy Framework Change How We Approach Privacy?
The NIST Cybersecurity Framework changed the way we think about security. Will NIST’s Privacy Framework have the same effect?
Happy fifth anniversary to the NIST Cybersecurity Framework.
When it was issued in February 2014, the goal of the Cybersecurity Framework was to address potential threats against the critical infrastructure. Today, as Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan, said on the NIST blog, “NIST is committed to ensuring that even more organizations, especially smaller companies, know about and are able to use the Cybersecurity Framework to help strengthen the security of their systems, operations and data, and to make wise, cost-effective choices to mitigate cybersecurity and privacy risks.”
It’s clear that the initial mission of the Cybersecurity Framework has shifted over the years. But how has the cybersecurity landscape changed over that time period and how has it impacted the way we approach cybersecurity?
The Gold Standard
When the NIST Cybersecurity Framework was introduced, large-scale attacks were gaining more visibility. CryptoLocker ransomware had hit just months earlier. These attacks put cybersecurity front and center to organizational leadership, which traditionally had put security concerns on the back burner.
The NIST Cybersecurity Framework helped organizations develop an effective security framework, explained Laurence Pitt, global security strategy director at Juniper Networks. It opened a way for security teams and senior leadership to have real conversations about cybersecurity in terms everyone could understand.
“In five years, NIST has gone from being a framework to help develop an effective security program and posture, to a recognized process that has enabled successful conversations to bridge the gap between security and senior leadership,” Pitt said.
“The NIST Cybersecurity Framework has become the gold standard for cybersecurity measurement since its development, especially in highly regulated industries,” said George Wrenn, CEO of CyberSaint Security. While critical infrastructure organizations are using it as a means to standardize cyber best practices, has become much more complex in the last few years, and standardization is necessary for improvement. “The NIST CSF allows CISOs and their security teams to standardize where they previously couldn’t due to the complexity of cybersecurity.”
Cybersecurity Framework in the Age of Data Privacy
Data privacy has become a top security priority over the past couple of years, and Wrenn said NIST recognizes that evolution.
“The NIST Risk Management Framework version 2 has incorporated privacy as an important consideration,” he explained. “When combined with the NIST Cybersecurity Framework (as they are better implemented together) the partnership between them brings privacy elements sharply into focus—privacy alignment that until recently was not available previously. In addition, NIST is in the process of creating a national Privacy Framework, in line with the heightened interest in data privacy and protection, and it will be available later this year.”
Will a privacy framework result in organizations thinking about data in different ways? According to Mike Sprunger, senior manager of cloud and network security at Insight’s Cloud + Data Center Transformation Division, other privacy regulations such as GDPR and CCPA have changed the way we look at data classification.
“Until GDPR came along, most companies did not classify their data in a way that made it possible to prioritize data based on its sensitivity and determine whether they were in compliance. The regulations are forcing affected companies to inventory and categorize their data, often for the first time,” Sprunger said.
There are two issues surrounding data classification: structured and unstructured data. So far, organizations are addressing structured data, or information that is easy to search for and find because it is cataloged in specific database fields.
However, said Sprunger, unstructured data on edge devices such as laptops, desktops, phones and IoT devices represents 80 percent of business data, covering emails, spreadsheets, PDFs, images and other documents. “Until a few years ago, classifying this data required manual intervention by end users and therefore left a lot of loopholes,” said Sprunger. “Newer technologies automate the process, dramatically simplifying the effort, helping ensure consistency across the enterprise and even enabling automatic movement of files in specific classification categories to appropriately protected repositories.”
To better approach data privacy and give consumers the level of protection and control they expect (and deserve), organizations will have to rethink how data is classified and stored. Time will tell how NIST’s Privacy Framework, in conjunction with the Cybersecurity Framework, will impact the way we talk and think about data, both in terms of privacy and security.