From: FierceGovernmentIT
By David Perera
An analysis of comments received so far by the National Institute of Standards and Technology to the cybersecurity framework called for by President Obama’s February cybersecurity executive order shows respondents so far show risk management approaches to be a matter of nearly universal concern.
NIST categorized responses to a request for information for incorporating “consensus standards and industry best practices” into a voluntary cybersecurity framework for operators of critical infrastructure. That analysis (.pdf), released May 15 ahead of a second planned workshop to be held at Carnegie Mellon University in Pittsburgh on May 29-31, shows that 81.1 percent of all comments touch on risk management approaches.
In sum, they state that the framework “should encourage the use of risk-based approaches rather than compliance-based approaches,” NIST says. Said one commenter, “The IT security budget is a zero-sum game, every dollar spent on compliance is a dollar not spent on risk-management.”
Also high on the list of apparent concerns is understanding the threat environment, which NIST says comes down to “improved understanding, knowledge and information sharing of threats and the constantly evolving threat landscape and its impact on critical infrastructure.”
One commenter questioned whether standards and guidelines can keep up with the continual changing threat landscape, raising the possibility that they may become ineffective for incident management.
Leave a Reply