Peer-2-Peer sessions give RSAC attendees the opportunity to dig deeply into a single topic area with a group of like-minded peers. Timothy Shea, a member of RSA’s Global Public Sector (GPS) Team, facilitated a P2P discussion about experiences adopting the cybersecurity framework (CSF) at RSA Conference 2015 in San Francisco. In this post, Shea continues the discussion from that session.  

The Cybersecurity Framework (CSF) establishes a common language for describing cybersecurity activities. My session, Cybersecurity Framework: Adoption Experiences and Opportunities, encouraged those who have adopted the framework to share their experience with others who were looking into, or were in the beginning stages of, adopting the framework. I was pleasantly surprised by the percentage of attendees who had or were in the process of adopting the framework (20 percent). It was also encouraging to see a mix of industries and company size represented among those who were adopting the framework.

Discussion focused on three general areas: overview of the framework components (for those considering adoption); feedback from the adopters with regards to what degree they implemented and how they implemented the components of the framework and; resources.

The bulk of the discussion focused on how the adopters utilized the framework. Some organizations, typically smaller and with less formal existing cyber risk management programs in place, used the framework as a template with which to develop their cyber risk management program. Those who had a program already in place, were able to adapt the framework to their existing program.

A common benefit sited by the adopters was the business language with which the framework expresses itself. The value here is that the ITsec team could represent their risk posture in with terms familiar to the ‘C’ level or Board of Directors. The incentive to adopting the framework was split between those in regulated industries who wanted to get ahead of expected mandatory use of the framework by their regulator and those who recognized the framework as a best practices guideline for managing cyber risk.

[Note: This session was intended for those responsible for cybersecurity risk management in the sixteen critical infrastructure segments of the U.S. economy: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Service; Energy; Financial Service; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; Water and Wastewater Systems. Anyone interested in leveraging the cyber security Framework (CSF) practices to enhance the organization’s cyber-risk posture were also welcome to attend the session. The goal was to have attendees walk away with at least one new idea or concept to help them adopt the CSF or realize additional value from their implementation of the CSF.]

Additional information on the CSF can be found here:

• NIST Framework for Improving Critical Infrastructure Cybersecurity (aka the Cybersecurity Framework or CSF)   
• Cybersecurity Framework Forum (CForum)
• Executive Order 13636, Improving Critical Infrastructure Cybersecurity
• Critical Infrastructure Cyber Community (C³) Voluntary Program
• The Cybersecurity Framework Explained [session recording, registration req’d]