The document summarizes key recommendations from a National Institute of Standards and Technology (NIST) cybersecurity framework for critical infrastructure providers. It recommends that CIOs take four steps: 1) conduct a self-assessment to identify gaps in their cybersecurity practices based on the framework; 2) build consensus around adopting the framework by tying it to existing risk management programs; 3) focus on continuous improvement by working towards higher implementation tiers; and 4) collaborate with industry peers to share threat information. Adopting the voluntary framework may help organizations better manage cybersecurity and legal risks.

1. 9/16/16, 1:48 PMNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Page 1 of 3http://deloitte.wsj.com/cio/2014/01/14/nist-cyber-security-framework-4-steps-cios-can-take-now/
Subscribe Sign In
U.S. EDITION Friday, September 16, 2016 As of 1:47 PM PDT
Business-led, Technology-enabled: Insight written and compiled by Deloitte
Search Deloitte Insights SEARCH
Deloitte Insights Video
The Human Side of the Internet
of Things
Organizations are focusing their internet
of things (IoT) initiatives less on
underlying sensors and more on finding
ways to use the information these
sensors generate. In this video, find out
the “human impact” potential from IoT,
and the implications for CIOs pursuing
IoT.
Make Better Decisions
Courtesy of the Core
Organizations are reinventing their core
systems to keep pace with innovation
and evolving business needs. In this Tech
Trends 2016 video, learn how
transforming these foundational systems
can not only help companies meet
business goals today, but also establish a
base for improved decision-making and
future growth.
Is Pokémon Go Augmented
Reality’s Killer App?
CIOs can learn a lot from the runaway
success of “Pokémon Go,” the new
mobile game that generated $35 million
in revenue in the first two weeks following
its release. But the most pressing lesson
in the immediate aftermath of the app’s
success may be to prioritize augmented
reality development efforts to capitalize
on consumers’ growing acceptance of the
technology.
Related Deloitte Insights
How IoT Can Power the ‘Intelligent Grid’
Internet of Things (IoT) technologies can help electric utilities
power the intelligent grid by promoting grid resilience, enabling
situational awareness through unified monitoring and control
systems, and optimizing investments in the grid by a range of
potential stakeholders.
2016 Power and Utilities Industry Outlook
Exponential technologies will play a continuing role in
transforming the power and utilities industry in 2016, enabling
sector companies to monitor, control, and optimize grid and
system resources, and improve performance and asset
utilization, among other benefits, says John McCue, the U.S.
Energy & Resources leader at Deloitte LLP.
Utility Sector Plugs In With Ambient
Computing
Moving beyond the abstract potential of ambient computing to
practical applications can be challenging for CIOs and other
business leaders. But look no further than two use cases of
ambient computing in the utility sector to get a glimpse of the
Tweet
NIST Cyber Security Framework: 4 Steps for CIOs
Even though adoption of NIST’s cyber security framework for critical infrastructure providers is
currently voluntary, CIOs who opt to apply it to enterprise risk management practices may
improve their ability to calibrate not just their organizations’ cyber risk, but also business risk
more broadly, while more efficiently allocating the information security budget.
On February 12, 2014, the National Institute of Standards and Technology (NIST) released its
“Framework for Improving Critical Infrastructure Cybersecurity,” a comprehensive approach to
managing cyber security risk, aimed at critical infrastructure owners and operators.
The framework, which builds on existing standards, guidance, and industry-leading practices,
was developed by NIST in response to President Barack Obama’s February 2013 executive
order, “Improving Critical Infrastructure Cybersecurity.” Critical infrastructure comprises a range
of industries, including power and utilities, financial services, telecommunications, chemicals,
and food and agriculture. The number of cyber attacks in these sectors has risen in recent years
(in some cases dramatically), and the threat facing them is documented in numerous reports,
from the U.S. House of Representatives’ Energy & Commerce Committee’s “Electric Grid
Vulnerability” report to Deloitte Touche Tohmatsu Limited’s 2012 Global Financial Services
Industry Security Study.
Carey Miller, a director with Deloitte & Touche LLP’s Cyber Risk Services practice, says NIST’s
cyber security framework proposes dramatic changes to the way some critical infrastructure
companies currently measure and manage cyber security risk. “Where some approach it
primarily from a technology perspective, the framework encourages organizations to look at
cyber security risk across the people, process, and technology dimensions of their enterprises,
just as they would with financial, safety, and operational risks,” she says.
Although critical infrastructure owners and operators are not required to adopt the NIST cyber
security framework, those who do stand to benefit. Implementing the framework should give
them a clearer idea of their cyber risk profile, according to Miller. Armed with that knowledge,
they may make more informed risk management decisions and proactively identify the steps
required to reduce threats and achieve their cyber security risk management goals.
Moreover, by identifying a company’s cyber risk profile, the framework can help elevate the
issue of cyber security to the CFO, CEO, and board of directors, adds Miller. “The framework is
intended to illuminate comprehensive cyber impacts; not just technical, but the legal,
operational, and financial implications of critical infrastructure companies’ cyber security posture
—top of mind issues for boards and CEOs,” she says.
JR Reagan, a principal with Deloitte & Touche LLP’s Cyber Risk Services practice, says
adopting the NIST cyber security framework may even help companies better manage their legal
exposure. “In the event an organization that adopted the framework experiences a breach, the
organization ought to be better positioned to demonstrate ‘due care,’ that it made a good faith
effort to implement the framework and its industry-leading cyber security practices and
guidelines,” he says.
Given the framework’s potential benefits, Miller and Reagan believe critical infrastructure
companies should adopt the framework, and they recommend actions CIOs can take now to
begin aligning their organizations’ cyber security risk management practices with it.
Conduct a self-assessment. The framework highlights five high-level cyber security functions
(identify, protect, detect, respond, and recover), along with a variety of related practices and
CONTENT FROM OUR SPONSOR Please note: The Wall Street Journal News Department was not involved in the creation of the content below.
Home World U.S. Politics Economy Business Tech Markets Opinion Arts Life Real Estate
CIO Report Consumerization Big Data Cloud Talent & Management Security
ShareShare 58
PREVIOUSLY IN DELOITTE INSIGHTS NEXT IN DELOITTE INSIGHTS
News, Quotes, Companies, Videos SEARCH

2. 9/16/16, 1:48 PMNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Page 2 of 3http://deloitte.wsj.com/cio/2014/01/14/nist-cyber-security-framework-4-steps-cios-can-take-now/
About Deloitte Insights
tangible results that can be derived from building an intelligent
ecosystem of Internet-connected “things".
Deloitte Insights for CIOs couples broad business insights with
deep technical knowledge to help executives drive business
and technology strategy, support business transformation, and
enhance growth and productivity. Through fact-based
research, technology perspectives and analyses, case studies
and more, Deloitte Insights for CIOs informs the essential
conversations in global, technology-led organizations.
Read more.
activities divided into categories and subcategories, respectively. For example, the “Protect”
function includes the categories of access control, awareness and training, data security, and
information protection. The subcategories associated with data security, for example, include
confirming data at rest is protected, data in motion is secured, and assets are formally managed
throughout removals, transfers, and disposition.
Since most critical infrastructure providers are likely to follow at least some of the prescriptions
within the various functions, categories, and subcategories, CIOs can start by identifying the
elements of the framework their organizations already follow and the areas where they need to
shore up their capabilities, according to Miller. “Organizations should have at least basic
capabilities implemented in each function, category, and subcategory,” she says.
A self-assessment can help companies identify and prioritize gaps in their cyber security risk
management practices. It also positions them to better grasp their current risk profile and zero in
on actions that will help them reach their desired state.
Build consensus. In parallel with the self-assessment, CIOs can promote adoption of the
framework inside their organizations by tying it to their enterprises’ existing business and cyber
security risk management programs, according to Reagan. “The NIST cyber security framework
is intended to complement, rather than replace, an organization’s existing risk management
practices,” he says. “Leveraging it alongside the risk management program approved by the C-
suite and board can facilitate adoption.”
Reagan adds that the C-suite and board of directors will want to know how the framework can
reduce their organizations’ risk and if it can be accomplished cost effectively—two questions
essential for CIOs to answer. “The detailed approach to risk management that the framework
offers can help companies proactively monitor, identify, assess, and respond to cyber security
risks,” he says. “Adopting the framework may, in fact, lead to more effective cyber security
spending because it gives companies a risk-based mechanism for making cyber security
decisions and prioritizing investments.”
Focus on continuous improvement. The NIST cyber security framework lays out four
implementation “tiers” that describe the degrees of rigor and sophistication associated with an
organization’s risk management practices. The tiers include “partial,” where an organization
manages risk in an ad-hoc and reactive manner; “risk informed,” where an organization
understands cyber security risk but lacks an enterprisewide approach to managing it; “risk
informed and repeatable,” which applies to enterprises with a formal, integrated approach to
cyber security; and “adaptive,” where an organization has an enterprisewide approach to
managing cyber security risk that it continuously improves based on lessons learned and
predictive indicators.
“Implementing the NIST cyber security framework isn’t a ‘check-the-box’ exercise,” says
Reagan. “It’s intended to help organizations reach their desired level, then keep improving.”
Collaborate with industry peers. Working with industry colleagues and government
organizations can help CIOs anticipate and understand emerging cyber threats. “Many
companies share cyber threat information through informal networks and regular meetings,”
says Reagan. “Establishing those lines of communication is essential to a CIO’s ability to peer
over the horizon, anticipate the next threat, and formulate a response.”
To that end, he recommends companies consider participating in information sharing and
analysis centers (ISACs). Reagan acknowledges that ISACs have been more successful in
some industries, like financial services, than in others. For industries where ISACs have less
traction, Reagan suggests companies give them another chance and try to make them more
effective. ISACs that serve state and local governments are also emerging.
*****
Miller believes the cyber security framework provides critical infrastructure owners and operators
with an unprecedented opportunity to begin speaking the same language about cyber risks and
begin using a common mechanism to address them. “The potential benefits of adopting the
framework should outweigh the costs,” she says. “From elevating the topic of cyber security to
the board to having a risk-based mechanism for prioritizing security investments, there are
countless ways critical infrastructure companies can realize its value—all while bolstering
national security.”
Related Content: “Cyber Security, Critical Infrastructure, and Obama’s Executive
Order”, “Preparing Utilities to Respond to Cyber Attacks”
January 14, 2014, 12:01am
Questions? Write to Deloitte CIO Journal Editor
This publication contains general information only and Deloitte LLP and its subsidiaries ("Deloitte") are not, by

3. 9/16/16, 1:48 PMNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Page 3 of 3http://deloitte.wsj.com/cio/2014/01/14/nist-cyber-security-framework-4-steps-cios-can-take-now/
« Previous
The IT Performance Management Revival
Next »
2014 Health Care Providers Industry Outlook
Tweet Email Print
means of this publication, rendering business, financial, investment, or other professional advice or services. This
publication is not a substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action that may affect
your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss
sustained by any person who relies on this publication." As used in this document, "Deloitte" means Deloitte
Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of
the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients
under the rules and regulations of public accounting. Copyright © 2014 Deloitte Development LLC.
Read More About:
ENERGY & UTILITIES, FINANCIAL SERVICES, SECURITY & PRIVACY, TELECOM
Wall Street JournalFacebookTwitter Google+YouTubePodcastsGooglePlay AppStore Windows 10
Back to Top
Subscribe
Why Subscribe?
WSJ+
Corporate Subscriptions
Apps
Professor Journal
Student Journal
Customer Service
Customer Center
Live Help
Redesign Guided Tour
Tools & Features
Newsletters & Alerts
Guides
My News
Portfolio
RSS Feeds
Topics
Video Center
Watchlist
Ads
Advertise
Advertise Locally
Commercial Real Estate Ads
Place a Classified Ad
Sell Your Business
Sell Your Home
Recruitment & Career Ads
More
Conferences
Content Partnerships
Corrections
Jobs at WSJ
Make Time
News Archive
Register for Free
Reprints
Privacy Policy Cookie Policy Copyright Policy Data Policy Subscriber Agreement & Terms of Use Your Ad Choices
Copyright ©2016 Dow Jones & Company, Inc. All Rights Reserved.
Like Share Be the first of your friends to like this.
ShareShare 58
Subscribe / Sign In