NIST: An Old Agency with a New Purpose for Boards of Directors

Nicholas J Price
5 min read
In 1901, Dr. Samuel Wesley Stratton could not have imagined that the corporate leaders of today would be looking to his agency to help protect their corporations from cybersecurity threats. In his day, Stratton was a visionary man who recognized that the many helpful products that came out of the Industrial Revolution were not universal. Stratton envisioned a federal agency that would set the parameters for products and the parts that went into making products, and that had an industry-wide standard.

Stratton's vision has helped to develop standards for essentially every industry, including communications, manufacturing, healthcare, transportation and automation. The development of industry-wide standards played a strong role in helping our nation's commerce grow and helping our country become an international power.

Since computer pioneer Russell Kirsch and his colleagues produced the first digital image in 1957, the pace of technology has brought a host of cyber-risk activity along with it, threatening to destroy entire networks with the stroke of a key. How can an old federal agency that set out to standardize the size of nuts and bolts protect today's corporations from cyber threats?

The History of NIST

Shortly after the Industrial Revolution, Dr. Stratton argued passionately with Congress over establishing a national standards laboratory so that the United States would be able to compete with manufacturing powers in Germany, the United Kingdom and other countries.

Congressmen were not initially receptive, but scientists and industrialists joined Stratton's efforts and motivated Congress to form the National Institute of Standards and Technology (NIST). They appointed Stratton as the founding director, and he served NIST for the next 21 years.

Congress established NIST as a non-regulatory agency in 1901. It is part of the United States Department of Commerce. NIST works to facilitate issues between the Federal Information Processing Standards (FIPS) and the Federal Information Security Management Act (FISMA). Think of NIST as being the oldest physical science lab in the country.

Board Directors Concerned over Threats of Cyberattacks

Board directors across the globe are increasingly discussing ways to protect their computer systems from hackers. Many of them know that they need to do more than leave the corporation's protection up to the IT department. IT departments employ a separate cadre of expert employees because of the complex, technical nature of data. The complexity of computer systems makes it difficult for board directors to understand exactly what the IT departments are doing, making it nearly impossible for board directors to effectively oversee cybersecurity. Yet, board directors recognize that they are on the hook for whatever does (or doesn't) happen in the IT department.

For example, there was a recent ransomware virus that attacked Russia's biggest oil company, Ukrainian banks and several multinational firms. How did it happen?

A flaw in Microsoft's Windows program after a security update let the virus in. The virus encrypted hard drives and overwrote files. The attacker then demanded $300 per target, payable through bitcoin payments, to restore the users' access to their computers. Unfortunately, about 30 people fell victim to the scam.

Board directors are becoming increasingly aware that such viruses can destroy a corporation overnight if they don't have adequate cybersecurity measures in place. Cybersecurity issues have cost businesses about $400 billion every year, including direct attacks and the fallout that follows the attack.

No corporation wants to be the next company to make headline news for not knowing they had a security problem until a breach occurred. At the same time, many board directors are hesitant to employ cybersecurity measures for fear of security interfering with computer systems or other areas of the business.

Many board directors are ready to act. They just don't know what to do.

How NIST Can Help to Bridge the Gap Between Board Directors and IT Departments

NIST has helped federal agencies meet specific regulatory compliance measures for major laws like HIPAA and FISMA. In May of 2015, NIST created a guide, called Guide to Industrial Control Systems (ICS) Security, for corporations to help them understand cybersecurity issues and develop plans to protect against cyber threats. In particular, the guide will help corporations comply with the Sarbanes-Oxley Act, which Congress enacted to improve the corporate governance and accountability of all public companies.

Boards of directors can now use the guide as a basis for board discussions surrounding forming an individualized plan that protects their corporation and its shareholders against cyber threats. The guide also serves as a tool to facilitate discussions with the IT department so that boards can more clearly understand whether the IT department is complying with expected cybersecurity measures across the industry.

What Role Does NIST Play in Corporate Governance?

NIST sets up several steps for IT department managers and board directors so that they have a designated plan for cybersecurity.

NIST looks at the data that a corporation needs to protect and places it into a category. Next, NIST works to develop a minimum baseline that will protect the identified data. NIST staff uses risk assessments to tweak and refine the baseline controls. Using the information they gathered, NIST writes out a security plan to document the baseline controls.

The IT department can then apply the security controls to their systems, and monitor the performance to measure the effectiveness. NIST can then assign the level of cyber risk based on the level of security controls. The final step is for the board directors to work with the IT department to take measures to reduce cyber risk.

NIST Recommends IT Take a Stronger Role in Corporate Discussions about Cybersecurity

NIST is recommending that corporations do more than simply have an IT department. The risks of cyberattacks are so high that they are recommending that all corporations enlist the help of systems security engineers. They'd also like to see a change in corporate governance culture whereby IT experts are not only brought into corporate discussions on a quarterly or as-needed basis, but are given a stronger role in the governance structure. NIST recognizes that it's virtually impossible to eliminate every security breach. They recommend that companies take the strongest measures possible to reduce the potential for cybersecurity attacks and the ensuing cyber risk. This includes improving communication's risks, which can be solved by using a secure board portal with a messaging function, eliminating the need for email.