Microsoft hosts cybersecurity and privacy professionals for discussion about the Cybersecurity Framework

Last week, Microsoft’s Innovation & Policy Center in Washington, D.C. convened a distinguished group of cybersecurity and privacy professionals from across industry sectors for a panel discussion about the forthcoming Cybersecurity Framework, expected from the National Institute of Standards and Technology (NIST) in February 2014, and its implications for critical infrastructure organizations.

I was pleased to participate as a panelist alongside:

  • Mark Clancy, CISO of the Depository Trust and Clearing Corporation
  • Trevor Hughes, President and CEO of the International Association of Privacy Professionals
  • Mike Kuberski, Chief Information Security Officer of Pepco Holdings
  • Larry Trittschuh, Executive Director for Threat Management, General Electric
  • Fred Cate, Indiana University Maurer School of Law, who served as moderator

Several key themes emerged from our discussion. The general sense among the panelists was that the underlying themes of cybersecurity and privacy practices described in the Preliminary Framework were a good starting place, and would aid organizations in establishing or refining organizational policies, provided the underlying approach is relevant for the data rich environment of the 21st Century. However, several panelists also noted that certain components of the Framework may pose challenges for industry because they are prescriptive rather than outcome-focused.

Panelists also observed that a stronger integration of cybersecurity and privacy practices was crucial to strengthening the Framework’s relevance to small and medium organizations, which may be trying to address both topics with limited capacity. Additionally, panelists acknowledged that the Framework’s success will depend upon related initiatives in the federal government, specifically the Department of Homeland Security’s program for voluntary utilization of the Framework and the White House’s work on incentives for participating organizations.

Following the discussion, we spoke with several of the panelists. Trevor Hughes stressed the importance of sound cybersecurity and privacy practices in critical infrastructure protection, stating that “cybersecurity professionals are not privacy professionals, and we need privacy expertise in these conversations.”



Missed the event but want to learn more? Check out the Microsoft’s prior blog posts on the Framework and related incentives. You can also visit the Microsoft Global Security Strategy and Diplomacy site and the Microsoft privacy site.

Paul Nicholas
Senior Director, Global Security Strategy
Microsoft Corporation



About the Author
Paul Nicholas

Senior Director, Trustworthy Computing

Paul Nicholas leads Microsoft’s Global Security Strategy and Diplomacy Team, which focuses on driving strategic change, both within Microsoft and externally, to advance infrastructure security and resiliency. His team addresses global challenges related to risk management, incident response, emergency communications, Read more »