The NIST Cybersecurity Framework can help you understand your risks.

Scott Montgomery, VP and CTO-Americas & Public Sector, Intel Security

March 5, 2015

3 Min Read

Are you secure? Unfortunately, there is no way to prove that no one can breach your security. You can be compliant with any number of different regulations and frameworks and still be caught by some new attack or unanticipated vulnerability. That is one reason I like the Framework for Improving Critical Infrastructure Cybersecurity, released last year by the National Institute of Standards and Technology (NIST).

This security framework is different from other security regulations and frameworks because it is a process- and risk-management tool, not a static checklist or set of compliance requirements. Over the past year, we ran a pilot project with this framework in the Intel IT department to see how it works in the real world and how it compares to our existing security posture and processes. One of the most valuable lessons learned was how the framework improved visibility and facilitated discussions about risk throughout all levels of the company. Using the framework, we developed a heat map of our risk scores in several categories under the five major functions: identify, protect, detect, respond, and recover. Our CISO and the core security team established the desired target scores and their evaluation of the current scores in each area.

Then, without revealing the targets or the core team’s numbers, we asked several subject-matter experts throughout the company to score their own worksheets. Comparing these worksheets identified key issues for discussion, including a large gap between core team and SME scores, education and visibility issues, and a positive or negative gap between current and target numbers, indicating areas of under or overinvestment. Categories with a low score were expanded into subcategories (e.g. computing assets expanded to laptops, tablets, mobile, servers, storage, and network) to find the specific areas in need of improvement.  

The five functions emphasized to everyone that security is more than detect and protect. Identifying data and tasks that require protection helped us highlight areas that needed further assessment. Developing the target scores supported better informed discussions on risk tolerance. The respond and recover functions underlined the need to be prepared to act quickly in the event of a breach to contain the damage and inform those affected. And the whole process enhanced our communications by harmonizing our language and terminology and helping us to recognize areas of difference and disconnect.

Our experience with this framework has been very positive, and we plan to continue to use it throughout Intel and with our suppliers and partners. I would encourage any size organization to evaluate and implement it also. When you do, we have a few suggestions to share from our initial project:

  • Do it yourself. This is a process for discovery and discussion, not a checklist or assessment that can be done by a consultant.

  • Start small and easy.  It’s best to start with a small group that is comfortable with at least some of the language and technology, not across the whole organization.

  • Customize for you. This is not a one-size-fits-all framework. Tailor the components for your business and technology environment.

  • Work with decision makers. Risk management is not a static process, and it touches all levels of the organization. Engage them early and continually.

This framework began with collaboration between government, industry, and non-governmental organizations. Our best bet for better security is to continue that approach, protecting privacy and civil liberty, while promoting innovation and the use of the Internet for global economic development.

About the Author(s)

Scott Montgomery

VP and CTO-Americas & Public Sector, Intel Security

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that technology, standards, and implementations meet information security and privacy challenges. His dialog with the market helps him drive government and cybersecurity requirements into McAfee's products and services portfolio and guide Intel Security's policy strategy for the public sector, critical infrastructure, and threat intelligence.

With more than 15 years in content and network security, Montgomery brings a practitioner's perspective to the art and science of cybersecurity. He has designed, built, tested, and certified information security and privacy solutions-including firewalls, intrusion prevention systems, encryption, vulnerability scanners, network visibility tools, mail and web gateways, strong authentication tokens, embedded systems, and more. Prior to its acquisition by McAfee, Montgomery ran worldwide product management and corporate strategy for Secure Computing, designing and building products like Sidewinder (now McAfee Firewall Enterprise), Webwasher (now McAfee Web Gateway), and Ironmail (now McAfee Email Gateway).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights