Last week, Microsoft’s Innovation & Policy Center in Washington, D.C. convened a distinguished group of cybersecurity and privacy professionals from across industry sectors for a panel discussion about the forthcoming Cybersecurity Framework, expected from the National Institute of Standards and Technology (NIST) in February 2014, and its implications for critical infrastructure organizations.
I was pleased to participate as a panelist alongside:
- Mark Clancy, CISO of the Depository Trust and Clearing Corporation
- Trevor Hughes, President and CEO of the International Association of Privacy Professionals
- Mike Kuberski, Chief Information Security Officer of Pepco Holdings
- Larry Trittschuh, Executive Director for Threat Management, General Electric
- Fred Cate, Indiana University Maurer School of Law, who served as moderator
Several key themes emerged from our discussion. The general sense among the panelists was that the underlying themes of cybersecurity and privacy practices described in the Preliminary Framework were a good starting place, and would aid organizations in establishing or refining organizational policies, provided the underlying approach is relevant for the data rich environment of the 21st Century. However, several panelists also noted that certain components of the Framework may pose challenges for industry because they are prescriptive rather than outcome-focused.
Panelists also observed that a stronger integration of cybersecurity and privacy practices was crucial to strengthening the Framework’s relevance to small and medium organizations, which may be trying to address both topics with limited capacity. Additionally, panelists acknowledged that the Framework’s success will depend upon related initiatives in the federal government, specifically the Department of Homeland Security’s program for voluntary utilization of the Framework and the White House’s work on incentives for participating organizations.
Following the discussion, we spoke with several of the panelists. Trevor Hughes stressed the importance of sound cybersecurity and privacy practices in critical infrastructure protection, stating that “cybersecurity professionals are not privacy professionals, and we need privacy expertise in these conversations.”
Missed the event but want to learn more? Check out the Microsoft’s prior blog posts on the Framework and related incentives. You can also visit the Microsoft Global Security Strategy and Diplomacy site and the Microsoft privacy site.
Senior Director, Global Security Strategy