By Kent Landfield, Director of Standards and Technology Policy, McAfee, and Malcolm Harkins, Chief Security and Privacy Officer at McAfee
When the Administration released the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) on February 12, 2014, many of us at McAfee were familiar with the details, as we had participated extensively in the public – private collaborative process to develop the Framework. What we didn’t yet know, however, was how the Framework would stand up when put to the test: what kind of learnings it would yield, what kinds of benefits it would really have. We knew theoretically that the Framework should be a valuable tool for organizations of all sizes, but we wanted to try it out ourselves to see if those expert assumptions were valid in a real organization. We aimed high: The business unit we partnered with to develop the McAfee use case is sophisticated in terms of cybersecurity and manages a large range of products and services. We chose McAfee IT and targeted the Office and Enterprise areas of our compute infrastructure to conduct our pilot project.
We focused on developing a use case that would create a common language and encourage the use of the Framework as a process and risk management tool rather than a set of static requirements. That aim proved successful, and we recently documented our experience in a white paper. Even in these early stages, the Framework has already helped us harmonize our risk management technologies and language, improve our visibility into McAfee risk landscape, inform risk tolerance discussions across our company, and enhance our ability to set security priorities, develop budgets, and deploy security solutions.
One of the most valuable aspects of this pilot project is the discussions about security processes and terminology it has been generating. For example, a security policy might be written the same way across the corporation but implemented differently in groups such as manufacturing and human resources. Recognizing these differences is important, and discussing them becomes part of the security culture of an organization.
We plan to implement the Framework in other parts of McAfee, and we encourage other organizations to implement it too. Some words of advice based on our experience:
For implementation of the Framework:
- Do it yourself. Don’t rely on others to come in and give you an assessment, because the Framework is meant to be a tool for discovery – not a standard for measurement.
- Start where you are comfortable. It made sense for us to start with the Office and Enterprise business functions because our IT Security organization had already begun similar efforts.
- Tailor the framework to your business. Adding, changing or deleting categories and subcategories helps the Framework align with an organization’s business environment. Don’t be afraid to customize the Framework.
- Engage decision makers in every stage of the process – continually. Cyber risk management is a dynamic process that doesn’t have a neat end result. A continuous process of iteration and validation will result in an ongoing dialogue about risk, which is the aim.
For continued work on the Framework:
- Include cyberthreat intelligence. As the Framework continues to develop in the U.S., we believe it should include key elements such as the cyberthreat intelligence lifecycle, which is essential to developing a robust understanding of cybersecurity attacks.
- Extend beyond the U.S. We believe the Framework’s benefits are not confined to the U.S. In fact, governments in other parts of the world have begun reaching out to learn more about its potential. We encourage transnational dialogue and adoption of the Framework across the globe.
McAfee looks forward to continuing to use the Framework to analyze other areas of our business, as we believe it will provide value across our entire organization. Because we’ve taken the Framework out of the wrapper and made it a working tool, we feel confident in our belief that by focusing on risk management rather than compliance, the Framework has the potential to help transform cybersecurity on a global scale and accelerate cybersecurity across the compute continuum.