Representatives from critical infrastructure providers and employees at the National Institute of Standards and Technology, spoke at an event at the Department of Commerce in Washington, D.C. about President Obama’s new executive order on cybersecurity.
According to a Federal News Radio article, there were two central themes that came out of the discussion which were collaboration is key and the cybersecurity framework must go beyond the basics of managing security risks.
“We struggle to determine precisely where we should be making investments,” said Terry Rice, the associate vice president for IT risk management and chief information security officer for Merck.
“It’s not just within IT. It’s also within, if I have a dollar, do I spend it on research on Alzheimer’s or cancer or some other affliction, or do I spend it on protecting my information and systems?”
Michael Papay, the vice president for information security and cyber initiatives at Northrop Grumman information systems, said the cybersecurity framework can’t lose sight of the economics issue and must provide a critical set of controls to balance all the factors.
According to the article, NIST and industry will work together to try to identify and fix gaps in cybersecurity and ensure the framework is dynamic as threats change.
“Our initial plan is to organize along three main topic areas: managing risk, cyber hygiene and tools and metrics,” said Patrick Gallagher, director of NIST