A Comprehensive Risk Assessment Policy and Practice

“We used the framework as a way of guiding how we changed our business operations through the institution of a risk-assessment meeting,” says Jeff England, CFO at Silver Star Communications in the above video. England refers to the NIST cybersecurity framework and how Silver Star used the framework as the basis for formally addressing risk across functions (e.g. human resources, competition, etc.). Cybersecurity was woven into their planning conversations and became a part of their strategic plan and resulting capital budget.

The cybersecurity framework can be daunting and England explains how they are taking the framework and splitting it into bite-size pieces that they integrate into their existing processes over time. England emphasizes that regulatory authorities need to continue to allow operators to implement the cybersecurity framework on a voluntary and flexible basis, as opposed to a mandatory, prescriptive approach.

He describes a unique scoring method he developed to give them a relative measure of progress in understanding their progress to reach compliance goals. He says they also opened a dialog with vendors to learn from larger companies. They found that some of these companies didn’t have a comprehensive cybersecurity risk plan. Cybersecurity questions have since become a routine part of the vendor evaluation process.

As a supplier, they are having proactive conversations to help educate other businesses about cybersecurity risks. The knowledge has also informed their network configurations (e.g., staying within the Silver Star network versus going off to an Internet cloud service) to reduce the opportunity for cybersecurity breaches. Their implementation of the framework has become a competitive advantage.

England emphasizes that there is only so much that private operators can do to thwart criminals and fend off state acts of war. He believes that government needs to do more to penalize those who are committing cybersecurity crimes, instead of penalizing private businesses that are the victims of the crimes. He illustrates this last point with an analogy about how a shopkeeper wouldn’t be penalized for a break-in to her shop for using the wrong kind of security camera.

Coverage of the 2015 IP Possibilities made possible by NTCA.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.