Value of Security Standards

[00:00:20.650] – Kerry Bonin

Hi.

[00:00:22.090] – Jason Pufahl

So today we’re going to cover the riveting topic of security standards. We’ll be throwing acronyms out there like this NIST 800 later and ISO 27000.  We’ll get a little bit more detailed than that. I gave some talk to this over the weekend, and we get a lot of blanks there I think when we talk about security standards, especially with smaller organizations that aren’t so familiar with the idea of having to adhere to a standard.

[00:00:51.050] – Jason Pufahl

I think it’s partly because the industry uses terms like framework or GRC, governance, risk, and compliance, and they feel, in my opinion, they sort of feel ominous. They feel big, they feel cumbersome. I don’t know that people understand why they would need to remind them what the value might be. So I want to touch on that a little bit today.

[00:01:12.710] – Steve Maresca

And some businesses don’t even believe they have real compliance requirements. So it’s a subject that is an unknown in general.

[00:01:20.150] – Jason Pufahl

Yeah, we get that right. I don’t have data that anybody cares about. Nobody looks at us as an organization. There’s any number of reasons to feel like security could be an afterthought. But I think if we anchored this a little bit more on the idea rather than say standards and frameworks and just a little bit more like a blueprint.

[00:01:38.330] – Jason Pufahl

I feel like that’s more the spirit of this, it really is provide you something to build a program against. You’d never build a house without a blueprint and expect the house to turn out in any way the way you would envision it.

[00:01:51.530] – Jason Pufahl

Your idea of a cape and the builder’s idea of a cape could be totally different [inaudible 00:01:54] blueprints. Same thing as these, give yourself a blueprint, build your program, make it aspirational it can take some time to build against. But choosing something I think is the right path. I’m interested in your opinions around really, though, what the benefits of aligning to these standards might be.

[00:02:16.790] – Kerry Bonin

Well, there are several benefits a company needs to know what information is secure not only for their organization but for their customers as well. Customers more frequently want to know, what are you doing to secure our information.

[00:02:37.770] – Steve Maresca

Sometimes it’s a prerequisite for doing business at all. So it’s really about rigor, demonstrating care is being taken to protect information, protect your customers’ data.

[00:02:50.670] – Jason Pufahl

We’ve seen a lot more of that, too, right? The third-party risk assessments in your questionnaires that your customers submit to their upstream providers. People are much more concerned now about what happens to the data that they trust you with and it’s a fair amount of work to demonstrate that. I think your aligning to a specific standard or using a specific blueprint, can potentially really help show where you are in that maturity spectrum.

[00:03:20.070] – Kerry Bonin

On the same topic, brand reputation is a big one too. Nobody wants to have a data breach associated with their brand.

[00:03:30.870] – Steve Maresca

And after a breach, sometimes it’s a requirement to demonstrate certain actions have been taken to a certain criteria in order to actually regain the trust of business partners.

[00:03:43.230] – Jason Pufahl

Well, and, Kerry, you were [inaudible 00:03:45] earlier before we started this around the idea of a roadmap. I think if you are having a conversation with a client or you are trying to demonstrate or keep your reputation intact, it’s valuable to be able to say we align to a specific standard. Here’s our roadmap toward compliance. We’re 30 percent of the way there or 50 percent of the way there.

[00:04:09.930] – Jason Pufahl

I think being able to demonstrate to people that you take it seriously that you had an active plan for compliance is a much more positive discussion than simply saying, “Yeah, we did some things that we thought were probably right.” And we see that all the time.

[00:04:25.410] – Kerry Bonin

Realistically, these frameworks were put together by experts in their field. They’ve all gone back and figured out what was the best practice. What were some of the vulnerabilities? Let’s look at the cyber attacks and come up with something that basically secures companies, their data, their information going forward, and it shows you how to get there.

[00:04:51.990] – Jason Pufahl

It just occurred to me, it lets people speak the same language. If you say to somebody, I align to, throughout the first set of numbers, I align to NIST 800-171. That means something to folks in higher Ed, to people in the Department of Defense space. It gives them context. It gives them an ability to say, “Okay, I generally know where you’re going. I understand the families. I know the controls.” That’s a valuable way to start a conversation.

[00:05:19.170] – Steve Maresca

I think there’s an important emphasis here. Many businesses feel that they are not obligated under certain regulations. They don’t perceive themselves as having compliance requirements. There’s a difference between obligation and aspiration.

[00:05:37.230] – Steve Maresca

It’s appropriate to aspire to a standard that may in other businesses be a requirement because at least in that sense you are looking forward to new markets, new partners. Demonstrating in excess, perhaps in your industry of rigor that helps you differentiate from other entities. It’s multifaceted type of conversation.

[00:06:03.090] – Jason Pufahl

So we talked a little bit already about the “why” and I think your reputation certainly, customer trust is really valuable. To some degree it puts you in the driver’s seat of the conversation, personally, I think, is a valuable thing to do, gives you something to measure your security program against.

[00:06:23.250] – Jason Pufahl

Steve, you’ve mentioned now, and at least a couple of times, the regulatory requirements. Not just trying to implement a mature security program for the betterment of your own company, but you might be compelled to do that.

[00:06:37.530] – Steve Maresca

You might be compelled to do it if you manage certain types of data. If you’re a healthcare organization, you undoubtedly know about HIPAA. If you deal with credit card transactions, you know about PCI. Those are great if you’re those types of organizations.

[00:06:56.310] – Steve Maresca

However, if your business doesn’t deal with that sort of information or you’ve subcontracted that activity out to third parties so they have to do most of the heavy lifting, your business may still be subject to regional privacy laws like the Massachusetts Privacy Law, like California data disclosure requirements, if there is any sort of security event like New York Shield Act.

[00:07:20.970] – Steve Maresca

There are a variety of regulatory frameworks that frankly traverse state boundaries, regional boundaries, international alike, and they have embedded within them reference to or frankly derivative from standards themselves. If you can attest to a certain standard, you are essentially making it easier to comply with those broader regulatory requirements that may be looming in the background not even something on radar of many businesses.

[00:07:59.290] – Jason Pufahl

Connecticut has that, the House Bill 6607, and I don’t want to spend a lot of time on that. I think we’ll actually try to dedicate a podcast to that. What I found interesting about it was they said we’re encouraging businesses to align to a security standard. They didn’t specifically say you must pick this one, or we’re going to mandate that you pick this one. They really just want to see formality and security program.

[00:08:27.010] – Jason Pufahl

I think in a lot of ways, that’s what I would personally advocate for rather than trying to look at these and say 853… And Kerry, I’m going to push a couple of [inaudible 00:08:37] to you in a second, but that 853 and it’s hundreds of pages long versus ISO 27000, which touts itself and may be an international standard and they don’t know what to choose.

[00:08:47.650] – Jason Pufahl

Maybe the ultimate bad outcome is they choose nothing. So I’m wondering we’ve got three I know that we spoke specifically about, a NIST standard, an ISO standard, and then CSF, and I’m wondering if you can spend a second just high level on what those are.

[00:09:07.630] – Kerry Bonin

Okay. Well, the NIST 800-171 or NIST 853 both have to deal with security and privacy of your information. The ISO 27001 along the same lines it has much more of a managerial aspect to it, and it also requires an actual certification. Somebody will come and audit your organization to see how your organization is complying with these standards. So it definitely gives you that certification that lasts for three years, I believe, and it’s something you can put forward to your customers.

[00:09:52.750] – Jason Pufahl

And again, speaking from the same language. So you can say I’ve been audited against ISO 27001, and there should be a general understanding or a global understanding what that means.

[00:10:01.750] – Kerry Bonin

And there are actually mapping between the different frameworks.

[00:10:06.250] – Steve Maresca

That’s a really important point, too, because some of our customers will have their clientele come to them asking to demonstrate compliance with standard ‘X’, and realistically, it’s not about standard ‘X’, it’s about demonstrating rigor. It’s to help that conversation purely. And as long as you can show forethought and use of one of the standards, the mapping themselves make that conversation clear.

[00:10:32.890] – Kerry Bonin

And there’s a lot of overlap. There’s access management, encryption, education. There’s a lot of overlap between all of them. It really depends on how your organization wants to approach cybersecurity. They’re daunting, but it’s definitely something that’s doable by almost every organization.

[00:10:58.450] – Jason Pufahl

I think that overlap comment it’s a good one, in the sense that by picking one doesn’t mean that you’re excluding requirements necessarily by another. To your point, they’re all going to have some network security components. They’re going to have security awareness components.

[00:11:13.810] – Jason Pufahl

There’s a whole varieties that do overlap, and there might be some distinctions, of course, but generally, there are only so many security controls that you can put in place. The language, maybe around how you measure yourself might be slightly different. I think the language around expected outcomes might be a little bit different maybe.

[00:11:30.850] – Kerry Bonin

A little bit. NIST is definitely more focused on the technological end of it, where ISO is much more as I mentioned a managerial approach to it. But they do have a lot of the same language and a lot of overlap.

[00:11:54.650] – Jason Pufahl

So if you were suggesting to smaller organizations how to tackle this because I think some of the conversations that we’ve had certainly have been maybe somebody might spend money. There’s certainly a financial component of compliance and a lot of the timetable chat it’s around, well, I need to make sure there’s an ROI here, that I get money back for the investment that I’ve made.

[00:12:21.450] – Jason Pufahl

Do you have counsel for how people might approach that or approach these reasonably? Because I think that’s often the challenge. They feel onerous, they feel big. How do you approach it to feel like you’re actually making progress in a way that fits a budget potentially?

[00:12:36.630] – Kerry Bonin

Well, it all depends on the organization, and it depends on what type of service or item you’re providing, and what the cost of cyber security would be based on what service you’re providing. So in other words, for the NIST 800-171 which is CUI-based, organizations need to look at how much they’re bringing in based on their CUI contracts.

[00:13:08.310] – Kerry Bonin

And maybe a percentage of that should be based on cybersecurity, because it is so important that you keep that information secure. A larger percentage of that should be based on cybersecurity, but every organization should implement some version of securing their information. So every organization has to do it their own way as far as a budgetary requirement.

[00:13:32.790] – Jason Pufahl

Actually, that is really the right way to look at it. It’s how much of your business might carry a regulatory requirement and frankly, how much of a spend you need to make to protect that. I want to back up for one quick second because we promise we do this every time. CUI-

[00:13:50.730] – Kerry Bonin

Oh, sorry.

[00:13:50.730] – Jason Pufahl

That’s fine. Controlled Unclassified Information. I’m not going to spend one second trying to describe what CUI is, but for anybody who’s interested, Controlled Unclassified Information, which really is specifically [inaudible 00:14:01].

[00:14:03.930] – Kerry Bonin

For the Federal Government.

[00:14:08.830] – Jason Pufahl

To the degree that you can’t have a favorite. Does anybody have a favorite standard or one that you feel that… Maybe let’s say it this way. A business that might not have a specific requirement around implementing a specific standard. Is there one that just feels like the right balance of security and say reasonableness, perhaps? I’m just curious about opinions.

[00:14:36.830] – Steve Maresca

I’m fond of the NIST cybersecurity framework. It’s general, it’s high level, it’s approachable, and it’s not overly prescriptive. Absent of any specific business requirement is a relatively good place to land.

[00:14:56.390] – Kerry Bonin

I prefer the ISO 27001 of course, because I feel it takes into account how your managers are going to put this framework into place and worked on improvement every year. You don’t have to take the whole thing and implement every single standard, but you can start with a risk analysis and go from there.

[00:15:21.790] – Kerry Bonin

What’s our highest risk? What do we need to implement first and then move forward? Then following that the next year you do a risk assessment, you find out if anything has changed, if what you have put in place is beneficial, is working, and then you address more security controls. So you can build it up slowly.

[00:15:44.590] – Jason Pufahl

That maturation process is important.

[00:15:46.810] – Steve Maresca

On that note, I think it’s worthy to think of the various standards that we’re describing as targets. They can be discovery vehicles as well. You don’t start out the gate implementing to meet a standard. It doesn’t work that way. You have to measure first, determine what’s worthy of prioritizing, what’s relevant within the budget, time frames, staffing, and all of that.

[00:16:16.510] – Steve Maresca

They are, again getting back to our road mapping and blueprint metaphor, helpful to define a trajectory for security improvement overall. If you look at them in that way, they’re less looming, they’re less confrontational types of subjects and perhaps they point in a direction that help to identify new resources or deficiencies that organizations didn’t know existed.

[00:16:43.030] – Jason Pufahl

It feels to me like you’re describing the idea of you’re developing a plan of action and milestones. So measuring yourself against the standard: identifying those areas that you’re currently compliant with, identifying where your gaps are, and then really be able to put together that roadmap that I think Kerry that you’ve described. Which is, what potentially does my next 12, 24, 36 months look like as I mature my organization around this specific standard?

[00:17:09.790] – Jason Pufahl

Typically, you don’t have to do it overnight. I suppose it’s possible if you’re in a regulated environment, you’ve done nothing and you have to apply with HIPAA, there may be some work to do. But more often than not, there’s the ability to mature your program in your business around these set of standards. Is there anything in closing maybe that you guys like to add relative to this?

[00:17:34.030] – Steve Maresca

I’d say that absent of a requirement to meet a particular standard, it’s appropriate to choose something that feels well adapted to the business. It’s entirely appropriate to select a subset of that standard to implement if that is a tolerable target within your organization. As long as you do something, it’s about forethought, it’s about planning, it’s about improving the state of affairs from today and into the future, and to the extent that their guidance can help. That’s how I look at these things.

[00:18:12.070] – Kerry Bonin

I think one of the important factors in most of these frameworks is a risk assessment similar to what Steven was saying. If you sit down with your organization and find out what your risks are, not just your IT guy. Let’s talk to your general manager, your HR director, they’re all going to have different risks. So one would prioritize what the largest risk to your organization and the daily function that you have right now and move from there. So work on what is going to affect you the most first.

[00:18:50.050] – Jason Pufahl

The thing I like about that statement, I feel like we could make this another 20 minutes if you want to do, is that intersection of IT risk versus business risk. I think the fact that you’re touching on… Your security is just a conduit to improving your business ultimately and making sure that [inaudible 00:19:05] I think it’s really important.

[00:19:09.890] – Jason Pufahl

I think ultimately there is a lot of institutional benefit for identifying and trying to adhere to a standard, but if you can speak the same language, you’ve got all the reputational benefits that we talked about. It allows you something to build your program on.

[00:19:25.130] – Jason Pufahl

Generally, while maybe not the most exciting discipline for information security, perhaps, and I think a lot of IT practitioners, in general, would prefer more technical controls implementations. This really does guide the work that your business is doing and your technical staff is doing. There’s a lot of good reason to implement that.

[00:19:49.370] – Jason Pufahl

So I think on that note, I appreciate Steve and Kerry, you joining me today in talking about security standards. Hopefully, we’ve demystified that a little bit for folks who were listening.

[00:20:01.430] – Jason Pufahl

As always, you can follow us on Twitter. If you’ve got any questions or comments relative to this topic, we’re happy to try to address them there. Follow us on LinkedIn, and your podcast is available on Spotify and Apple Music among a variety of other locations. So thanks both of you for joining and I hope people get value out of this.

[00:20:25.230] – Speaker 1

Stay vigilant. Stay resilient. This has been CyberSound.