An article by Mark Harrington, General Counsel at Guidance Software, has the title How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework. The article is more interesting than this rather dry title might imply.
NIST is the National Institute of Standards and Technology which has recently released an update to its framework for improving the critical infrastructure cyber security. You can find the details of this by following the links in Mark Harrington’s article.
The most important message from the post concerns the benefits of sharing information about cybersecurity risks and events between US industries (and there is no reason why it should stop at US industries) so that organisations may better prepare and defend themselves in the interests of all.
This, as Mark Harrington points out, may involve concerns about corporate reputation which might otherwise not reach the public. We are reaching the point where the need to suppress threats outweighs this level of reputational risks, given the very much larger reputational risk (as well as purely financial risk) which lies in the belated discovery that the organisation’s confidential information is on the world’s desktop.
One conventionally thinks of this as being either credit card information or valuable intellectual property. The recent attack on Sony shows that the biggest reputational issue may in fact lie in the dissemination of incautiously worded emails.