Articles

Articles

Finally, a meaningful congressional report on stemming cybersecurity attacks

Articles, Blog, News
featured image

The Cybersecurity Strategy Report offers solutions to six problem areas in an effort to improve IT’s ability to cope with today’s cyber threat landscape.

As a new Congress arrives next month, expect a whirlwind of activity on the cybersecurity and privacy fronts. From major data breaches to the growing consumer data privacy morass, the frenetic pace of Washington developments will heat up.Most of this activity will obscure the fundamentals of why we have never-ending breaches, personal data exposures and chronic digital insecurity. A just-issued report by the House Energy and Commerce Committee’s Subcommittee on Oversights and Investigations is, however, a refreshing departure from the usual political drama because it delves into this very question.

The Cybersecurity Strategy Report released on December 7 sidesteps the crises du jour by taking a bigger picture, practical and non-partisan view of what’s going wrong and how to fix things. It seeks to articulate how “traditional information technology (IT) strategies seem largely ineffective at stemming the growing tide of cybersecurity incidents.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Who is responsible for IoT security in healthcare?

Articles, Blog, News
featured image

NIST panel debates who should own IoT security: vendors or users. The issue is especially important when it comes to protecting medical devices.

The next big challenge in cybersecurity will undoubtedly be to secure the billion-plus (and growing) internet-of-things (IoT) devices around the globe, which exponentially expand the attack vector across the increasingly interconnected IT sector. Based on statistics from Symantec, attacks that leverage internet-connected cameras, appliances, cars, and medical devices to launch attacks or infiltrate networks soared by 600 percent from 2016 to 2017.

[“It was a big year for cyberattacks,” Ken Durbin, senior strategist for global government affairs at Symantec, said speaking on a panel at NIST’s Cybersecurity Risk Management Conference. Much of that panel’s discussion focused on who should own IoT security. The nature of IoT risk makes that a hard question to answer.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

With supply chain security grabbing headlines, NIST sees new relevance for its guidance

Articles, Blog, News
featured image

Supply chain is sexy again, and NIST hopes that means more companies take its supply chain risk guidance seriously.

Cybersecurity in the supply chain is a dense, massively complicated topic that lies beyond the comprehension of all but a few dedicated experts. It has nonetheless risen to the top of security challenges organizations face today. “Supply chain is the new black. Supply chain is sexy again. That’s kind of hard to imagine,” said Jon Boyens, manager, security engineering and risk management at the National Institute of Standards and Technology (NIST). Boyens, who manages cybersecurity supply chain efforts at the National Institute of Standards and Technology (NIST), made that comment during a plenary session at NIST’s Cybersecurity Risk Management Conference.

NIST’s long history with supply chain risk

NIST is an old hand at supply chain outside the cybersecurity realm, starting decades ago when it began developing guidance for managing risk in global industrial and defense supply chains. “Supply chain is the most mature in its gestation because we’ve had all sorts of permutations along the way. This is an old topic for defense organizations,” says Matt Barrett, NIST’s Cybersecurity Framework lead.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Why NIST’s privacy framework could help security efforts

Articles, Blog, News
featured image

Although many people, even some cybersecurity practitioners, tend to conflate data security and data privacy as one and the same, privacy experts see them as two different, often contradictory, yet frequently overlapping objectives.

Although many people, even some cybersecurity practitioners, tend to conflate data security and data privacy as one and the same, privacy experts see them as two different, often contradictory, yet frequently overlapping objectives.

“We look at it as a Venn diagram,” Naomi Lefkovitz, privacy engineering program head at the National Institute of Standards and Technology (NIST), said during a plenary session here at NIST’s Cybersecurity Risk Management conference.

Lefkovitz is spearheading NIST’s initiative to create a Privacy Framework, along the lines of NIST’s successful Cybersecurity Framework, which could help pave the way toward the development of trustworthy information systems that protect privacy. From the Venn diagram perspective, the protection of individual privacy cannot be achieved by merely securing personally identifiable information (PII) because security risks arise from unauthorized system behavior while privacy risks arise as a byproduct of authorized PII. The area where security concerns overlap privacy concerns is the only area where true PII privacy currently occurs.

(This article appeared in Cyberscoop. Please read the rest of the article here.)

Why NIST is so popular in Japan

Articles, Blog, News
featured image

While organizations around the globe continue to grapple with chronic shortages of qualified cybersecurity workers, Japan is tackling the problem in a significant way by turning to two U.S. government technology frameworks to help manage its own information security manpower shortages.

Japanese industry has turned to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and National Initiative for Cybersecurity Education (NICE) Workforce Framework in an effort to fill the unique cybersecurity skills gap characteristic of Japanese companies.

Masato Kimura, a manager in the cybersecurity R&D planning department at Japanese telecom giant NTT, said that the NIST workforce framework in particular plays a pivotal role in Japan due to the high level of reliance by Japanese companies on outsourced IT and cybersecurity personnel.

[This article appeared in Cyberscoop. To read the rest of the article please visit here.]