The National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new cybersecurity framework to improve the security and integrity of the technology supply chain.White House Fact Sheet, August 25 2021
On August 25, the US president met with representatives of the tech, insurance, banking, and infrastructure industries, and this is the main White House announcement from last week. The NIST will create a new cybersecurity framework for companies in all industries to both embed security in their offerings, but also to assess security across their supply chains.
It is another step of the Biden administration to escalate its cybersecurity efforts. What are the other most critical points that stem from this meeting? Here’s a summary.
Cybersecurity takes coordination: public and private sector unite.
The innovative approach of the new cybersecurity framework had the objective of establishing expectations for these players to support the more extensive governmental effort in a coordinated manner.
Companies and government formed groups dedicated to tackling joint cybersecurity efforts for different industry clusters. Cybersecurity takes different shapes for organizations as diverse as Google, Bank of America, and Duke Energy, so it makes sense to group them separately but unified by the government efforts.
Security by design leaves the buzzword realm and becomes a rule.
The idea of “security by design” means no service or solution goes to market without having security as an essential part. However, in recent years and business priorities, it was more of a buzzword.
The White House initiative takes security by design to the center stage, with all the players agreeing to implement it in all their go-to-market activities. Microsoft said it would commit $20 billion over the next five years towards that goal.
Financial pledges along with the new cybersecurity framework show high levels of commitment.
All the organizations involved in the meeting made a cybersecurity investment pledge, taking different shapes, all with significant amounts.
Some attached a dollar figure to their cybersecurity framework compromise: Google said it would commit $10 billion in five years to fortify technological efforts, zero trust architecture, and help Americans get cybersecurity certifications, creating a robust workforce.
The cybersecurity skills gap exists (but there’s a plan).
Any cybersecurity framework demands professionals. Most of the participants made concrete commitments towards creating a more extensive and skilled cybersecurity workforce in the US. It is known that there are not enough cybersecurity professionals available to tackle the constant growing threats, much less those who have the certifications to take the lead.
IBM pledged to develop this skilled cyber workforce in volume and diversity by announcing partnerships with Black Colleges & Universities to establish Cybersecurity Leadership Centers.
Code.org went the foundational route, offering to teach cybersecurity basics to 3 million students over the next three years. This offer serves to create a more cyber-aware generation and present cybersecurity as a potential career.
Security awareness training gets due acknowledgment for new cybersecurity framework.
As important as having cybersecurity professionals is, security awareness is everyone’s business. Developing good cyber habits across private or public organizations creates a strong line of defense and boosts any technological commitments.
It is no surprise then that the new cybersecurity framework will consider such efforts at its core. Amazon already pledged to offer security awareness training for free for all its customers. The company already provides such training to their employees, and with its reach, there’s a great hope that more and more Americans will become cyber aware.
Apple will provide, among other things, security training for over 9,000 organizations on its supply chain, making sure good cyber habits create a resilient network.
IBM released a statement last week that addresses awareness training as a crucial part of any organization’s culture:
It is imperative that companies make cybersecurity awareness, prevention, and practices a crucial part of their culture for the cyber battle to be won. To help create a strong foundation of digital awareness across society, increasing public awareness through targeted education about cybersecurity continues to be important. Cyber literacy is a necessary ingredient in the building of cyber resilience and offers a timely opportunity for greater engagement and partnership between the public and private sectors.IBM – August 30 2021
At every turn, the White House acknowledges the seriousness of cyberattacks. The private sector has reasons to be on the same page, given that recent attacks crippled critical infrastructure and created serious financial hazards for all involved. We have covered this before, and we feel this will bring even more important developments in the future.
If what happens in the US is usually an indication of the world’s direction, it is essential to watch how other nations will follow this indication.