Privacy Please

S5, E202 - The Next Chapter for NIST Cybersecurity Framework: Governance

Cameron Ivey

Send us a text

Could the addition of 'Govern' to the NIST Cybersecurity Framework 2.0 be the game-changer in how we approach cybersecurity governance?  We unravel the significant evolution of the framework, now bolstering enterprise risk management with a holistic approach that's essential for any organization, big or small. We dissect the interplay of the six functions—Identify, Protect, Detect, Respond, Recover, and the new kid on the block, Govern—and how this integration across the entire lifecycle of protection can redefine the conventional cybersecurity steps. No stone is left unturned as we debate the necessity of maintaining distinct cybersecurity and privacy frameworks in the face of increasing overlap, a question that is becoming more pertinent as the digital age advances.


Support the show

Speaker 1:

I have to go Chain, chain food.

Speaker 2:

I'll thank you. Ladies and gentlemen, welcome to another episode of Privacy, please. I'm your host, cameron Ivy, alongside my other host, t'chcape Gums. We don't do co-hosts anymore, we're just hosts. You know what You're just hosts. I just made that up. Right now we're going to fly with it.

Speaker 1:

That's how it works, though, Like if you just it said it is now true, it is a statement.

Speaker 2:

Yeah, I don't want to tire saying co-hosts, because you know we're one and the same.

Speaker 1:

No one says co-parent. Does anyone say co-parent? I guess they do.

Speaker 2:

I don't like it either. Yeah, if you're gonna. So either you say it as an adjective or a verb. Right like, but as a noun co-parent as a noun doesn't work.

Speaker 1:

You just, you just call them parents Like this is, this is my mom and my co-parent, and I'm sorry, I meant dad. Dad looks down at you like what did you? Just, I'm well, how are you sir?

Speaker 2:

Good man Got some. You know, life life continues to go.

Speaker 1:

It does, it does.

Speaker 2:

We uh Sun continues to shine and yeah, you know.

Speaker 1:

Comes up another day.

Speaker 2:

NIST security framework continues to change. It does, and we have questions it does it does.

Speaker 1:

That is today's topic. 200th episode yes.

Speaker 2:

There's a button for that. If you want me to use it, use the button. I gotta go live with it, though. Oh, it won't. It won't, let me go live with it. No, that's all right. All right, so okay.

Speaker 1:

Post production. That's what post productions are. For those of you that have listened to the show long enough know what we mean when we say post production. Oh yeah, we really start 200th episodes. So that happened this week. There's the button Big times.

Speaker 1:

Also also just as significant in in the security framework, security and privacy world, nist released version 2.0 of the cybersecurity framework, nist cybersecurity framework 2.0. It's been a long time coming. It's been many, many years into making there's been a lot of comments. I mean the way the entire process works is they. They solicit comments from the industry, from experts. There are no shortage of experts that are also already engaged in working on this project in particular, both inside and out, so it's very much a collective effort. Nist, of course, is a government entity. It is. It is funded and backed by the US government.

Speaker 2:

Well, they say here, it's now added as the sixth the government function which emphasizes the cybersecurity is a major source of enterprise risk and a consideration for senior leadership.

Speaker 1:

And so that is the significant update to the 2.0 framework. So, for those of you who just don't have the NIST cybersecurity framework memorized, it encompassed five sections prior to this update Identify, protect, detect, respond, recover as it pertains to your environment, infrastructure, data, etc. Identify the things that require protection, protect them, apply detective measures such that you know, when, not doing anything, when naughty things are happening, respond to any naughty things that are happening and recover from any naughty things that may have happened. So the the the additional, the update to the NIST cybersecurity framework is governed, but they didn't add it as another step or another wedge. They added it as an overlay across all of those other components, which I think is good. I think that sends the right message, namely that govern isn't somehow distinct from detection, protection, responding, etc. But that governance is an activity that must occur throughout the entire life cycle of protection. I'll call it the life cycle of protection.

Speaker 2:

I like that Coin it. Coin it Trademark, that's mine.

Speaker 1:

There it is. That's how it works, isn't it now, I guess?

Speaker 2:

I mean, you heard it here, that's how it works now. So questions from this. Obviously, I know the one that jumped up in your mind is well, isn't there a security framework opposite of this or, I'm sorry, a privacy framework? Apologies, yeah, but why is that separate?

Speaker 1:

And it has been for some time. So NIST also has a privacy framework. It is currently in version, I think, 1.1., but 1.0 was released back in January of 2020. It is a privacy framework and we've talked a lot about why. We've always felt that there's a lot of overlap between the two, but not really certain that they should be that wholly distinct from each other. And in this update of the NIST Cybersecurity Framework 2.0, I find myself questioning even further why NIST chooses to keep cybersecurity as a distinct framework from the privacy framework. Now, for what it's worth, nist actually addresses this right up front In the 2.0, in the updated cybersecurity framework, right on page 12, it does explicitly state the following. I'm going to read this verbatim Privacy risk While cybersecurity and privacy are independent disciplines, their objectives overlap in certain circumstances, as illustrated in Figure 6.

Speaker 1:

Figure 6 is a Venn diagram and on the left it's cybersecurity risk, which are associated with cybersecurity incidents arising from loss of confidentiality, integrity or availability, and the right side of this Venn diagram is privacy risk associated with privacy events arising from data processing, and in the middle of that are cybersecurity-related privacy events. So let me go on to read Cybersecurity risk management is essential for addressing privacy risk related to the loss of confidentiality, integrity and availability of individuals' data. For example, data breaches could lead to identity theft. However, privacy risk can also arise by means that are unrelated to cybersecurity incidents. So there's the smoke and gut. That sentence is the reason why the NIST body still sees privacy as a separate framework Because, quote, privacy risk can also arise by means that are unrelated to cybersecurity events.

Speaker 1:

I am further confounded, confused and maybe even a little grumpy about that statement. Cybersecurity framework includes physical protections to things like data centers, so it obviously acknowledges that you can have an impact to confidentiality, integrity, availability that are not really the cybersecurity that are. Simply, someone walked into a data center and removed a hard drive, there was a natural disaster and a location is offline. Those are not cybersecurity incidents, but yet we cover them under the cybersecurity framework. Yes, they are not distinct. There are other frameworks that talk explicitly about disaster recovery, so, no, I'm not attempting to conflate those things either. What I'm failing to understand here is we know that you cannot have privacy without security. It is not a thing. You can, indeed, have security without privacy, but you cannot have privacy without security, and so I'm very much failing to understand why these two are separate, especially if you added the ring of governance to include governance as one of the key pillars.

Speaker 2:

Well, maybe that's a question we'll ask NIST when we tag them.

Speaker 1:

I need an answer. I'm just curious how we arose to that decision. The document clearly does point out why it thinks that with that anecdotal blur. But I think part of the problem with both privacy and security is that as long as we continue to treat them as these distinct practices, we're going to end up with the outcomes we have. Here's a really good example of that.

Speaker 1:

We treat ransomware as largely a confidentiality risk, namely data loss. Now, those of us following along at home would have remembered that the Verizon Databrige Investigation Report from last year 2023, very accurately points out that availability is the number one impact of ransomware. It crossed the threshold Two years ago. Data loss was, no longer is the case. Availability is the number one impact. Where am I going with this? Cybersecurity is still treating ransomware incorrectly. If the impact is availability, then encrypting your data doesn't protect against availability attacks, because if I re-encrypt the data, you've also lost access to it. You know why this is a problem Because we keep separating CIA confidential integrity and availability across this line of security and privacy. This Venn diagram should be one circle, One circle. The cybersecurity framework and the privacy framework I do not, do not genuinely think, should continue to exist as two distinct entities.

Speaker 2:

Yeah, now is this. It says that the 2.0 version now applies to all audiences, industry sectors and organizations, instead of just critical infrastructure owners. I didn't know that.

Speaker 1:

I think that's a great update. So a lot of times, nist documents are published with an intended audience of critical infrastructure owners, both public and private, and that can be everything, of course, from banks to other government entities. There are government banks, so yeah, nonetheless public and private sector, but largely critical infrastructure. I really do appreciate that this has expanded itself to include all verticals, because everyone suffers from cybersecurity incidents these days. Everyone does. If you now acknowledge that the cybersecurity framework covers all entities, not just critical infrastructure, you've also just included all of the entities that are responsible for individuals data.

Speaker 2:

So to add on to that game, the framework added emerging threats rooted to artificial intelligence and quantum computing too. What does this mean?

Speaker 1:

I'm hopeful that it means that we now have a framework that others can use when thinking about threats against artificial intelligence and quantum computing. Or I should say, on the second, the inverse of that, how quantum computing can affect what we already do today and the threats that will emerge from successful quantum computing, the primary risk there, of course, being a privacy one right. Like everyone's worried that quantum computers will lead to the ability to decrypt information that is currently otherwise very well protected. A privacy issue, a privacy issue.

Speaker 2:

There's no secure network period. Right, you can't. I mean, there's no way to get around, like, even if you have a VPN, you mean that assumption of compromise that I love to go back to.

Speaker 1:

Yeah, yeah, I think it's. It is mostly a foregone conclusion with many security folks that the assumption of compromise is the best way to treat your networks. I say most security people because not everyone is adopted a zero trust mentality, much less the framework, another framework put forth by this zero trust right. Reauthenticate all the things, right Like nothing should get. There should be no implicit or inherent trust throughout the systems and the network. One should assume that compromise can and or does already exist, and so you should compartmentalize and check those things. That assumption of compromise is, I think, very alive and well in this part of the conversation. Hmm, should zero trust be a separate framework than CSF? Now that we're talking about it, I I understand the differences between what they are intended to to do and describe. One is implicitly just about infrastructure and the other is a much larger component of that.

Speaker 1:

Yeah, I'll just continue to be grumpy about the privacy and security. Look, maybe it's because that's what we do here. This is, this show is rooted in privacy and security. Not security, not privacy, but privacy and security, for a reason. What we really dig into here is where that intersection of those two things live, and I think there's. We will continue to see failures and be able to protect ourselves, even against ransomware, when the number one threat is availability. The number one threat posed by ransomware is availability and we keep treating it like a confidentiality problem. Fail when we keep treating privacy as something separate and distinct and the cybersecurity necessity fail.

Speaker 2:

In your opinion, what kind of challenges do you think organizations, especially like smaller firms, might face when implementing a framework like the 2.0? Do you have any concerns there?

Speaker 1:

Really it's not. It's not a lot of small organizations won't be audited against it. I think it is difficult for many small organizations to implement the cybersecurity framework. I think what's important for those folks is to be able to have access to a service provider that can assist. Having in-house expertise to cover off on these critical things is going to be difficult. The framework, however, the place to start, if you are a smaller entity, is with the identify right, like.

Speaker 1:

You need to understand your risk. What are your risks? You need to know what they are. If you are small, you need to know what they are. That being said, when you are small, the answer is also somewhat fairly easy. It's everything. You can't really absorb the blow of a ransomware impact. If you get hit with ransomware, even a 50,000 or five ransom can really, really really impact your business. It can shut through your doors. We have watched it happen. Arguably, for some of those folks, for a lot of small folks, the place to start is at protect. It's at protect and then measure the gap between what you have. But you can arguably get closer to protecting air quotes, everything when you are small. Just run to that. If for no other reason, then the risk of being impacted by something like ransomware. I'm just going to use that because it's the highest ROI attackers have these days and it's not going anywhere. But if the risk of ransomware putting you out of business is real, then I might argue you should fast forward right to protect.

Speaker 2:

Anything beyond AI and quantum computing that NIS should consider already. Well, I guess, on top of combining the privacy framework, is there anything that you can think of from your perspective on something they should be looking already at implementing for the next phase?

Speaker 1:

of the future. I'm out here armchair quarter backing but for the record, I did submit some of this feedback during an open call for feedback, so none of what I'm saying here is new. At the moment. It has been a very long time that we 200 episodes counting at this point that we've been talking about that intersection of security and privacy, of just how intertwined they are. I went through the thing and I submitted that feedback. I don't think I have anything else that's really salient to call out here. I want to give credit where credit's due. This update is amazing. This update is incredible.

Speaker 1:

I'm excited to watch folks adopt this in the real world. I'm hopeful that it's also an opportunity for some of those organizations that had not gotten to maturity and maybe they take this opportunity to get to maturity now on 2.0. This is kick butt. This is absolutely kick butt. I think we have worked it. I think we have. I know we have worked it, I know we have. Well, yeah to that point wake up people. Wake up.

Speaker 2:

If you haven't done anything yet, you might want to jump on it Now's a good time.

Speaker 1:

Now's a good time. Now's a good time because it's live.

Speaker 2:

It's not just a draft. It happened, it's real, it's real.

Speaker 1:

There's a lot of good things in this. Yeah, absolutely. I think one of the most yeah, one of the best parts about it, too, is it introduces organizational context. It's at the top of the governance chart. An organizational context is a thing that's been missing from a lot of cybersecurity practice. A lot of cybersecurity practice. It is the thing that is missing from a lot of privacy practice. That lack of organizational context is what leads to such exposures.

Speaker 2:

Well, give us your thoughts, people, listeners. If you have any insights or questions, please shoot them our way, unless I disagree with them.

Speaker 1:

in which case, yeah, bring those too.

Speaker 2:

Gabe wants it. He's just saying that he doesn't want it, but please send them, add him, add him. It's okay, he probably won't even read it. He tries to stay off the socials, so you can email him here at that's GABR.

Speaker 2:

Yeah, yeah, yeah. Well, gabe, good stuff. Love to see this and we'll stay on alert for any other new changes in anything with the privacy framework, if there's any. But we will at NIST and see if somebody will respond to us on that or maybe we'll bring them on the show. Yeah, right on, cool, thanks for coming this week and we'll see you guys next week. And let's, gabe, you had anything, let's go, all right, see you later.

People on this episode