Chief executive officers, board members, and other senior business leaders need to realize that managing cyber risks is “one of the most important things you can do to protect your assets, your customers, and your companies,” the acting chief of the National Institute of Standards and Technology said. Speaking at the Board Agenda: CYBER conference in Washington, Willie May, acting under secretary for standards and technology at the Department of Commerce and acting director at NIST, said top corporate managers should review and consider using NIST’s cybersecurity framework. “The framework sets out basic guidelines to help organizations better understand and prioritize their cyber risks, and then it suggests specific cybersecurity ‘best practices’ most relevant to those risks,”  Mr. May said. 

“The framework is organized around five basic functions: Identify, Protect, Detect, Respond, and Recover. “You may have noticed that I did not use the word prevent,” he added. “There has been a notable shift in the last few years away from thinking we can completely prevent bad things from happening. Instead, the goal is a balanced approach that both protects and quickly detects when something is amiss. And it’s one that emphasizes being prepared with a strong response and recovery plan.” Cybersecurity is “too important to be left to your IT department and operations groups,” Mr. May said.  “Cybersecurity must be a core issue for your corporate executive team.  It can literally make or break your company. And that means your leadership is critical to ensuring that your companies spend the time and resources necessary to manage this risk, just like you manage financial and legal risks. “Second, every executive should be able to communicate persuasively about the importance of cyber risk management,” he added.  “If you want to improve your skills, please read the NIST Cybersecurity Framework. As I mentioned earlier, it was written expressly for corporate leaders.” -Brian Hammond, brian.hammond@wolterskluwer.com