While the financial services sector has seen heavier cyber regulation than other industries, the federal government has acknowledged the importance of cyber security across industries. In 2013, President Obama issued an executive order calling for the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. The NIST Framework, released in 2014, was meant to “provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach,” according to the executive order.
Thomas Finan, client engagement and strategy leader for North America at Willis Towers Watson Cyber Risk Solutions and former senior cybersecurity strategist and counsel for the Department of Homeland Security, credits NIST with helping set in motion a flexible mindset and approach that provides a road map for what industries should think about and prioritize for cyber security. “And what NIST recognized…is that every organization is unique and has a unique cyber-risk profile. But there are shared common approaches and issues.”
Finan believes the NIST Framework provides the backbone an organization of any size and in any industry can use to build on and further develop as needed. And, according to Gartner research, 30% of U.S. organizations had implemented the framework two years after it was released, with 50% predicted to implement it by 2020.
“I think the federal government has spoken through NIST with the cyber-security framework,” Finan says. “And I think what you are likely to see, and what you are seeing, is that industry sectors and associations are responding to the framework with their own interpretations on how best to implement it. That’s what’s getting traction right now.”