A survey released on Tuesday suggests the federal government’s recommended framework for how companies can reduce their cybersecurity risk is gaining traction.
Forty-three percent of the 338 respondents said that in the next year they will have adopted or plan to adopt the National Institute of Standards and Technology’s set of best practices known as the Framework for Improving Critical Infrastructure Cybersecurity. More companies are planning to adopt it than any other framework, although its overall rate of adoption may still be low.
The National Institute of Standards and Technology or NIST, a division of the U.S. Department of Commerce, established its framework in 2014 after President Obama issued an executive order calling for a voluntary set of standards and practices to reduce the nation’s cyber risks. It has scheduled meetings at its Maryland headquarters on April 6-7 to discuss how and when to make updates to the framework.
The survey also found that 84 percent of respondents had adopted a framework to manage their cybersecurity, whether it was the one put forward by NIST or another trade group or an original plan. The data is drawn from a February 2016 survey of 338 U.S.-based IT and security professionals, conducted by technology market insight company, Dimensional Research, and commissioned by Maryland-based cybersecurity company, Tenable Network Security.
“The investment and focus on cybersecurity is changing dramatically as the attacks become more frequent,” said Laura Jehl, co-director of the data security practice group at Sheppard Mullin Richter & Hampton.
Jehl, however, noted that most companies have only adopted or implemented parts of any framework. For instance, the survey broke out five functions of adopting the framework such as identifying threats, protection, detection, responding and recovering. “For most of the five functions, only about one in five ranked their organization as very mature in their adoption,” the survey reports.
Of those who did adopt the NIST framework, more than 70 percent said they did so because they considered it a “best practice,” while another 29 percent said a business partner required it and 28 percent said a federal contract required it.
Twenty-five percent of the participants hailed from companies with more than 10,000 employees, 15 percent from companies with more than 5,000 employees, 32 percent from companies with more than 1,000 employees and 28 percent from companies with more than 100 employees.
Other findings in the survey include:
- The most widely used framework was the Payment Card Industry Data Security Council Standard (47 percent), followed by International Oragnization for Standardization (35 percent), followed by the Critical Security Controls (32 percent), followed by the NIST framework (29 percent).
- Adoption of the NIST framework is growing the fastest among respondents, with 14 percent planning to adopt in the coming year.
- Factoring in projected adoption, PCI will be used by the most respondents (55 percent), then ISO and CIS (both at 44 percent), and then NIST (43 percent).
- Only 13 percent of respondents said they would discontinue use of a framework.