“We used the framework as a way of guiding how we changed our business operations through the institution of a risk-assessment meeting,” says Jeff England, CFO at Silver Star Communications in the above video. England refers to the NIST cybersecurity framework and how Silver Star used the framework as the basis for formally addressing risk across functions (e.g. human resources, competition, etc.). Cybersecurity was woven in their planning conversations and became an part of their strategic plan and resulting capital budget.
The cybersecurity framework can be daunting and England explains how they are taking the framework and splitting it into bite-size pieces that they integrate into their existing processes over time. England emphasizes that regulatory authorities need to continue to allow operators to implement the cybersecurity framework on a voluntary and flexible basis, as opposed as to a mandatory, prescriptive approach.
He describes a unique scoring method he developed to give them a relative measure of progress in understanding their progress to reaching compliance goals. He says they also opened a dialog with vendors to learn from larger companies. They found that some of these companies didn’t have a comprehensive cybersecurity risk plan. Cybersecurity questions have since become a routine part of the vendor evaluation process.
As a supplier, they are having proactive conversations to help educate other businesses about cybersecurity risks. The knowledge has also informed their network configurations (e.g., stay within the Silver Star network versus going off to an Internet cloud service) to reduce the opportunity for cybersecurity breaches. Their implementation of the framework has become a competitive advantage.
England emphasizes that there is only so much that private operators can do to thwart criminals and fend off state acts of war. He believes that government needs to do more to penalize those who are committing cybersecurity crimes, instead of penalizing private businesses that are the victims of the crimes. He illustrates this last point with an analogy about how a shopkeeper wouldn’t be penalized for a break-in to her shop for using the wrong kind of security camera.