Specialty Podcast: Common Ways Organizations Use NIST Standards and Frameworks Today

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:08):
Welcome everybody to another Alliant Specialty podcast. Thrilled to be with you here today. CJ Dietzman, Senior Vice President with Alliant Cyber. We've got a treat today. I'm here together with my colleague Howard Miller, who is a vice president and account exec within the Alliant Cyber team. He's also a licensed insurance broker, and Howard and I have the privilege of working together, serving many Alliant clients from a cyber risk and security standpoint. And we've got a special guest. Folks, we've got Ron Ross, a fellow with the National Institute of Standards and Technology. Super excited to be speaking with you today.

Ron Ross (00:46):
Great to be here, CJ and Howard, and anxious to share some thoughts with you on the podcast today.

Howard Miller (00:52):
Yeah, thanks for having me.

CJ Dietzman (00:54):
Excellent. Ron, so excited that you're here. First things first, let's start out with what is NIST? Can you help us demystify it a bit? We've all heard about NIST, sometimes we hear reference to the legendary NIST CSF and other NIST standards. The term gets thrown around a lot. We'd love to hear from you as a NIST fellow. Help us understand, what exactly is this organization?

Ron Ross (01:17):
Well, thanks, CJ. NIST has been around a long, long time, over a hundred years. It used to be called the National Bureau of Standards. It was renamed to the National Institute of Standards and Technology. We're a non-regulatory agency, and we're part of the Department of Commerce. And within our 3,000 scientists and engineers, it's broken up into different laboratories. We have a physics lab, chemistry building and fire. And I happen to be in the Information Technology Lab, which is the home of both of our cybersecurity divisions. We have one division that works on developing standards and best practices and guidelines for the federal government and the private sector where they choose to use those. And then the other division devoted to cybersecurity is more of an application of those standards and guidelines, working with customers in the various sectors. And so we've been doing cybersecurity for over 50 years, and we're very passionate about our job. We love what we do. We love working with government, industry and the private sector. I'm really glad to be here today to talk a little bit about cybersecurity.

CJ Dietzman (02:20):
Oh, and we're really glad you're here as well, Ron. Fantastic. What are some common ways that organizations across industry sectors are using the NIST standards and frameworks today? Go ahead.

Ron Ross (02:32):
Well, you have to kind of look at the overall landscape of today's modern information technology environment. We have over the last two decades or more seen an explosion in information technology. You can see it in all the smartphones and the laptops and all of the technology that's really changed the way our country does business. And more recently now you're seeing what I call the convergence of cyber and physical systems where you've got hundreds of computers and automobiles, and you've got all of these different applications on your smartphone.

So it's an incredibly complex and powerful set of technologies that have been rolled out. One of the concerns when you have a complete dependence on that technology is how vulnerable is my organization? Because I am dependent on the technology to accomplish my key missions in business operations. And so NIST has developed an entire series of cybersecurity standards and guidelines that go from the application level, all the way down to the network. And we provide a whole series of safeguard security measures that our customers can choose from to help implement their security programs and help protect their critical missions and business operations, so they can operate in the economy and do business and hopefully do that in a very safe and secure manner.

CJ Dietzman (03:50):
Fantastic. Thank you so much. And is it safe to say, Ron, that by leveraging the NIST CSF and other standards, an organization can really get a feel for its critical risk considerations, establish its own risk tolerance, evaluate threats and then address those risks, controls, threats, vulnerabilities on the backend? Does NIST carry our clients on a journey soup to nuts, so to speak? Or is it more heavily weighted toward the assessment side or the control side? What's your reaction to that?

Ron Ross (04:27):
I think NIST is a full service cybersecurity organization when it comes to standards and guidelines. We have our customers covered from the initial analysis of your critical data, what assets are critical in your organization, and it takes you through a whole process, whether you're using the cybersecurity framework, our privacy framework. We have a very detailed risk management framework, which is tied to our security and privacy controls and our assessment procedures. So from the day that you take that first view of the organization, see what are our critical missions, how is the technology supporting us, how vulnerable is that technology?

Because we're operating today in hostile cyberspace. There are lots of threats and adversaries out there that are trying to do harm to not only the country, but also to our industries. And so understanding the critical assets and what specific safeguards and countermeasures that NIST has defined that you can customize for your organization, so you can implement security programs in a very cost effective manner. That's why NIST provides that full service across the entire spectrum. Now, I will say that there are lots of standards and guidelines in the international community as well, the ISO standards. And so no matter which set of standards you choose, you should be comfortable with the standards and guidelines that you can use them, you understand them and you can effectively apply them within your organization. So every organization can develop a clear understanding of what risks are actually out there, and how much they've done to close down those critical vulnerabilities. So threats cannot exploit the vulnerabilities to cause mission and business impact, which could be catastrophic for organizations if they don't do their due diligence.

Howard Miller (06:11):
Yeah. I'll chime in here. I had lunch with one of our clients yesterday and Ron, he asked me to thank you for the work that NIST is doing. And I think that this is a company that does software development. They're involved in emerging technologies such as artificial intelligence, and I think what they appreciate is the overall structure and how that ties into a risk management or a governance approach. And I would say for our clients, risk management basically includes risk transfer. Risk transfer is part of risk management. So implementing an insurance program is part of managing risk by transferring the cost of that financial loss to an insurance company in exchange for a premium. And our companies do utilize NIST as part of the process of addressing cybersecurity.

And I wanted to throw something out from a document that you worked on, Ron, which was the Engineering Trustworthy Secure Systems, and it defines protection needs as the purpose of establishing the need for protection is to decide what assets to protect and to determine the priority given to such protection. And this can be accomplished without considering a cause or condition against which to protect. And so this was interesting to me, and I think once a company has identified and analyzed and prioritized their exposures, then they can start to put in those security controls, transfer that residual risk to the insurance company. And this is where I see NIST really aligned with some of the core principles of risk management.

Ron Ross (08:02):
Yeah, I totally agree Howard, and that's a great description. One of the biggest problems we have today in this incredibly dynamic world of information technology and the incredible capability that it brings to our government in our private sector, we have a problem of complexity. These are very complicated systems that we're building and deploying. We're talking about trillions of lines of code, billions of devices, all connected over ubiquitous networks worldwide. So one of the terms your customers may hear is this notion of attack surface. And attack surface is basically everything you own in the enterprise with regard to your computing systems, the applications, the middleware, the operating systems, the people, the processes, the technologies and all those things allow the adversary to have a lot of room in which to maneuver. So some of the NIST security controls deal with some very fundamental concepts like lease privilege and lease functionality.

What this is trying to do is, say when you're building your IT infrastructure, there's a lot of things you can bring into the environment, but if you only focus on those applications that are mission essential and you only give privileges to those people who need to have them, just those two steps alone can reduce your attack service and make it much more difficult for the adversaries to get into your systems and networks to do damage. So there's a lot of fundamentals. I call it the blocking and tackling of cybersecurity. You can start with a dozen or so of our controls, and we've talked about those extensively that organizations can do right now to really reduce that attack profile. So the adversaries have a lot more difficulty getting the low hanging fruit that allow them to get a foothold in your system to do further damage down the road.

Howard Miller (09:46):
Yeah, that's interesting. And I think that's very critical. And I would ask, even in relationship to emerging technologies, you talk about the sophistication of cyber physical systems, I would extend that even to cyber biological systems matching up technology with biology, some of the things that Elon Musk is doing, as well as artificial intelligence at its core behind all of this, you still need those fundamentals. Correct?

Ron Ross (10:15):
That's true. And in fact, artificial intelligence, I think some of you may know that NIST has developed a risk management framework for artificial intelligence, and it is going to change the world dramatically in the future. But those artificial intelligence programs are just programs running on a traditional operating system. And the adversaries like to get into the part of your system that can control everything else. And so no matter what kind of AI programs you're running in your organization, if the adversaries compromised your system at the architectural operating system level, they can control outputs from that AI program. So things that you think you're getting that are trustworthy, have already been compromised. That's where the document that you mentioned, the engineering document that NIST worked on, is so critical because you have to be able to secure your system and your enterprise from the ground up.

The analogy I use is you have a house on the first floor and you have a basement. You can put all the protections on the windows and the doors, but if you've got termites eating away the foundation, that house is not going to be structurally sound. So we have to spend as much time in what I call below the water line, looking at the quality and the security of our hardware, our software, our firmware and the systems that we're building. So everything that your customers are doing above the water line where they're building security programs, they're putting in firewalls, they're using two factor authentication. Those are all customer based controls that can be implemented, but ultimately the quality of those security measures are in the hardware, the software, the firmware and the systems below the waterline. So if we're not doing a great job with the industry producing trustworthy products and systems and services, then the customer, it is a great handicap to try to do things that they absolutely can't do on that foundation that hasn't been really built with a solid set of design principles.

Howard Miller (12:07):
Yeah, that's very insightful. I believe a lot of companies are implementing emerging technologies that you talked about to gain a competitive advantage. And a lot of times this can happen before the true extent of the risk are actually known, and that could include a heightened cybersecurity risk or privacy liability. And I'm seeing a reaction from these emerging technologies being implemented and seeing increasing pressure from regulators, government, potential legal liability and potential catastrophic risk. I think that, and this is going in this direction, but I think it really reinforces the need to strategically address cybersecurity from a governance perspective. And to be sustainable, any viable solution should be balancing the risk versus the reward, the mission and business objectives of the organization in achieving the goal of stakeholder value. And I definitely see that in that system engineering process where you start out with those business and mission objectives.

Ron Ross (13:17):
Yeah, Howard, I think you've hit on it, this is the issue of our time, and it has to do with the way we roll in this country. We thrive on innovation and pushing everything forward, and I use my smartphone or anybody's smartphone or tablet as an example. When you see how many awesome applications are out there, your tendency is, we're kind of addicted to the technology. For good and for not so good reasons. We can download all those apps where we have no idea who built the apps, where they're coming from, but if it's doing some cool stuff, we're going to go ahead and do it. The problem with computers is that whenever those come into your environment, they can bring with it a payload of malicious code that is never visible to you as a customer. Kind of have two worlds here. You want to have emerging technologies because that's what keeps the United States on the cutting edge, the economy and all the things that we care about and move the country forward. On the other hand, if we don't have a good understanding about the types of threats that are these very sophisticated adversaries are launching at us, especially in systems that are in the critical infrastructure.

So there's a big difference in your iPad or your smartphone at home. If you get hacked there, you know it's going to be bad for you, but it's not going to bring the electric grid down on the East Coast or pollute a water distribution system. These are the kinds of distinctions we're going to have to be comfortable making. When we talk about lean and mean, it means least functionality, least privilege. That means only implementing those applications and system components that are absolutely essential to carrying out the mission. And that applies to any sector in the critical infrastructure because you reduce the attack surface. You have to have a level playing field. You can't have an unlimited attack surface because the adversary will win every time. So we're going to have to be able to discern between those two types of situations where we love innovation, but sometimes you have to narrow the scope so you can adequately defend things that can have severe or catastrophic effects on not only the government but the private sector and especially our critical infrastructure.

CJ Dietzman (15:21):
This is a fantastic dialogue. Howard, got a question for you. In the context of the cyber insurability process, whether a client is going to market for the first time to seek cyber insurance and coverage for the first time, or if a client is getting ready for a renewal, how are the NIST standards applicable and useful? What would be your advice and or suggestion to a client? And then how are the NIST standards used by brokers like yourself? How are they used by cyber insurance carriers and underwriters? Howard, what do you think?

Howard Miller (15:58):
Okay, we've got three different areas there. I think as a broker, I want to secure the best pricing in terms for my client, and that becomes a collaborative effort. And that should take place ahead of purchasing the insurance, whether it's a first time buyer or it's an annual renewal process. And a good broker can help with identifying risk, notifying the client of emerging risk and losses that we're seeing and educating on what areas of their security program could be improved. And that could also be meaningful to the insurance company. And so if you work on those weaknesses in advance, you become more attractive to the insurance marketplace. Maybe you can minimize your attack surface that Ron was talking about, and that's going to create a higher percentage that you're going to get more favorable insurance outcome. And a lot of clients are using NIST, and I think for me it's, I want to show the insurance companies that my clients are in a state of constant improvement. So a lot of clients could use the NIST framework to benchmark their security controls implementations and show the improvements they've made over time. And so I think that's important from the carrier's perspective. The insurance company's perspective is speculative risk. They're either going to be profitable or unprofitable depending on how many claims are paid compared to the premiums they take in.

And so the underwriters are looking at more and more detailed information. That information could be based on several factors. What is the amount of protected or confidential data this organization has? What is the criticality or sensitivity of that information? If there's an operational disruption to the organization that could be caused by a security failure, a system failure or even third parties that they rely upon is another factor. The amount of insurance retention they're looking at, their industry. Is that industry a target? What's the size of their organization? And of course the strength of their controls. So the better the risk, the more likely the carrier is going to provide broader terms and more competitive pricing. And I think the carriers also look at a NIST report, see what controls the clients have implemented to reduce the potential frequency and severity of a loss that would make that organization more favorable from a risk perspective.

CJ Dietzman (18:41):
Ron, back to you. We've covered a lot of ground on this podcast, absolutely critical and fascinating topics and really getting a deeper appreciation and understanding for not only all the things that NIST does and what you do as a NIST fellow, but then understanding from Howard how these NIST standards are useful and helpful for organizational cyber risk and security and for the cyber insurability lifecycle, which is super important. Ron, what's next? What's on the horizon for NIST as a fellow? Can you talk to us a bit about some of the cool innovative projects and initiatives that you might be working on right now? How is NIST staying ahead of what's going on in industry from a cyber threat and risk standpoint?

Ron Ross (19:22):
Well, CJ, we're always busy in this, as you know, either updating our current set of standards and guidelines. We do work closely with our intelligence and the DOD, those communities as far as identifying new threats. And when those are identified, we have to make sure that we develop the safeguards, the counter measures, the controls. We have a toolbox for our customers that has the latest and greatest things to help them build good security programs. We recently launched a project with NASA to sit down with their systems engineers and figure out how can we build cybersecurity into a project from the very start of the project all the way through the lifecycle. That's critical to getting what I talked about earlier, below the waterline. Making sure we can get down to the basement of the house and develop an architecture and a system that has the appropriate safeguards and countermeasures and can be resilient in the face of these very sophisticated ongoing cyber attacks.

That's an exciting project. We're going to be documenting the results of that along the way so our customers can take advantage of when they face that same situation, building that next generation system. They'll have new guidance from NIST that'll help them decide how and when and where to deploy those safeguards and countermeasures within the new systems that they're building. Many of those are going to be going into the critical infrastructure or space systems, weapon systems, everything that you can do today where you can put a computer into that cyber physical system. We want to make sure that all of those computers are safe and secure. So those systems can be survivable, they can be resilient, and you can continue to support your critical missions in business operations.

CJ Dietzman (21:04):
Absolutely amazing, Ron. Thank you so much for that. And folks, that's going to be it for this episode of the Alliant Specialty Podcast. What a thrill it was. Thank you so much, Ron Ross, for joining Howard Miller and I today. Ron, again, a fellow over at NIST, the National Institute of Standards and Technology, super important organization in our industry. Thank you so much, Ron, for really helping us demystify and understand all the incredible things NIST continues to do. Howard, thank you for your time. Looking forward to continuing to serve Alliant Cyber clients with you. All of our attendees out there in the audience, thank you very much for participating in another episode of the Alliant Specialty Podcast. We will see you soon. Enjoy the rest of your day.