Vice President Bruce McConnell discusses progress and challenges with the cyber framework in advance of EWI's upcoming San Francisco and Berlin conferences.
Bruce McConnell, who served as a top cybersecurity strategist at the Department of Homeland Security, says the financial, telecommunications and energy sectors are making good progress on cybersecurity, though much work remains to be done at smaller companies in every sector.
McConnell served as DHS cybersecurity chief until last summer and helped put together the process that led to the National Institute of Standards and Technology's framework of cybersecurity standards.
He is now vice president of the EastWest Institute, which is holding meetings in June in San Francisco and December in Berlin to kick off a "global cooperation in cyberspace" initiative.
The NIST framework was released on Feb. 12, one year after President Obama's executive order on cybersecurity. Three months after its release, the issue of scalability for smaller companies remains a hot topic of debate among cybersecurity professionals.
"Second-tier companies are the weak link," McConnell said in an interview with Inside Cybersecurity. "They are less able to make the investments and less aware of the issue. That's one point that isn't fixed yet."
The effort to ramp up cybersecurity "is still really a 'push' thing from government rather than companies pulling it," McConnell said.
DHS, NIST and other agencies including the Small Business Administration are trying to alter that paradigm, stressing in multiple settings that the private sector should drive cyber improvements.
Based in New York, McConnell has taken a particular interest in the financial sector's moves on cybersecurity, saying the industry is "at the forefront" of cyber policy.
The Securities Industry and Financial Markets Association is using the framework to improve the cybersecurity practices of members and supply-chain partners, McConnell said.
"We are totally supporting use of the framework," SIFMA's Karl Schimmeck told Inside Cybersecurity. "We're encouraging members to evaluate it and get to know it. We're using it as a communications mechanism and our companies use it to assess themselves."
A SIFMA working group has mapped the framework to the multiple regulations covering the financial industry, Schimmeck said, adding that regulators are performing the same exercise.
McConnell also praised efforts by the Department of Energy to develop cybersecurity maturity models and other tools of use to the electricity, oil and gas sectors.
Looking across the critical infrastructure sectors, McConnell said telecom companies and banks "have religion" when it comes to improving cybersecurity.
The healthcare industry, on the other hand, "still has a long ways to go," according to McConnell.
The big question, McConnell said, is still "what does it take to get companies to make investments in cybersecurity?" The pace of investments has "moved up a notch in the last five years, but it's still slow," he added.
Awareness of cyber vulnerabilities is growing in the private sector, according to McConnell, but "how do you translate awareness into action?"
The answer to that question "will remain a work in progress," McConnell said. "The biggest unused driver is customer demand. That is, once users – individuals and businesses -- get fed up with bad security, they will demand change."
McConnell expressed his hope that NIST would maintain management of the cybersecurity framework, even though the agency says it intends to hand it over to a private-sector entity at some point.
"It makes sense for NIST to own it," McConnell said. "They run a fair process and are truly a neutral party. I don't see anyone else who can do it as well." He urged Congress to provide funding that would allow NIST to maintain this role.
Photo Credit: Roxanne Tamayo via Flickr.