The NIST Cybersecurity Framework helps organizations assess and manage their cybersecurity risks, but it can be arduous to master when organizations try to follow the guidelines, according to Steven Gutkin, deputy director at the New Jersey Office of Homeland Security and Preparedness. Gutkin spoke with SearchCIO at the recent Fusion CEO-CIO Symposium, produced by WTN Media. In this video, he outlines the challenges and benefits that organizations can face when actualizing the NIST Cybersecurity Framework drafted by the U.S. Department of Commerce's National Institute of Standards and Technology. He also enumerates the breadth of cybersecurity and physical security threats that the New Jersey OHSP is currently monitoring, how Information Sharing and Analysis Centers are a leading resource for cybersecurity strategy and how bridging the gap between physical security and cybersecurity is a top priority.
What are the challenges and benefits of implementing the NIST Cybersecurity Framework?
Steven Gutkin: The biggest challenge to implementing the NIST Cybersecurity Framework would be that if an organization is really going to implement it to the letter, it can become very cost prohibitive and very difficult to manage. The benefit, obviously, is that if you're having everybody sort of speak the same language and they're translating things and identifying threats in the same way and taking the same set of mitigation steps, it's much easier to deal with these challenges as they come through.
What kind of cybersecurity threats are you looking at right now?
Gutkin: Some of the biggest cybersecurity threats that we're looking at are ransomware type variants, such as malware. Those are the things that are very concerning to us. But, we're looking at threats from a number of different sources, including the federal government, both classified and unclassified. We're also sharing threat intelligence based on what we're seeing on the state level network with our private sector partners.
We're also ingesting these threat indicators from several of the Information Sharing and Analysis Centers (ISACs) like the Financial Services ISAC, National Health ISAC and Multi-State ISAC. We're kind of collating them together to give everyone a greater picture of what these indicators of compromise are and then sharing them in an automated fashion with all of the members of the New Jersey Cybersecurity and Communications Integration Cell.
What kind of physical security threats are you looking at?
Gutkin: We're concerned about vehicle-borne attacks, improvised explosive device attacks, things that we've been working on consistently since 9/11. But, again, we're trying to bridge the gap, so that we're covering all sides of both the physical and cyber domains.