LogRhythm has been involved in the authoring of the Cybersecurity Framework as outlined in one of (my previous blog posts.) Although the framework is still being drafted, and won’t be released for public comment until later in the year, the White House has recently blogged about some proposed incentives for organization’s looking to adopt the framework. The details can be found here: http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework
At a high level, the following are being proposed:
- Cybersecurity insurance
- Process preference
- Liability limitation
- Streamline regulations
- Public recognition
- Rate recover for price regulated industries
- Cybersecurity research
Overall I think incentivizing adoption of the framework is a good idea. While attending the workshops one of the key points that was raised by owner/operators was the fact that it might not make business sense to implement the framework.
That is, it would cost more to implement it than it would should an outage/breach occur. This is the classic struggle for InfoSec folks…attempting to quantify cybersecurity risk in a way that makes financial sense for an investment.
Although not all of the incentives are likely to be implemented, and some might be more effective than others, some of the proposals can indeed be quantified and will help infosec personnel build the case for the CxO-level folks to allocate funding to implement the new voluntary framework.