On 3 March 2015 I participated in a deep dive into some key policies and processes used by Intel (NASDAQ:INTC) to continue to reduce the business risk of cyber threats. This review was presented by Malcolm Harkins, Intel’s Chief Security and Privacy Officer. Malcolm was briefing how Intel corporation leveraged the NIST-coordinated Framework for Improving Critical Infrastructure Cybersecurity to create a more mission-focused cyber security effort across their corporation. Their approach is also helping establish a common language with suppliers to Intel, significantly extending the approach.
Intel’s use of the framework clearly got results. You can review them yourself online at http://intel.com/federal But here are some of the things that jumped out at me during the presentation:
• The framework was used as a living risk management tool, not at static compliance checklist. This is key.
• The pilot resulted in reusable tools and best practices for the company
• The pilot also produced feedback for NIST which will impact and continuously improve the overall framework.
• Benefits of the framework include an ability to more quickly focus in on areas of the enterprise security posture that need focus.
• This also supports collaboration, inside the organization and also to other organizations external to the corporation.
• Intel expects to continue to harmonize their internal risk management methodologies, technologies and language across their corporation through use of the framework.
• They also are using the framework to better inform internal risk tolerance discussions.
• Intel executives see the framework as a way to ensure cyber security activities are focused more on risk reduction vice just compliance. This has always been leadership’s intent, but the framework makes it easier.
We have written about the NIST framework here before and have long seen the value (it has helped us help many of our clients out). Intel corporation publishing a use case like this will help convince many other companies to take a look at the framework and that will help more firms adopt a common language in the security related elements of people, process, technology and the overall ecosystem.
For firms like our, we will continue to leverage this framework to inform our own security and as one of the key tools leveraged in our interactions with clients. We thank Intel for publishing their case study, it is a fantastic and very helpful contribution to the community.
Latest posts by Bob Gourley
- DoD Intelligence Information Systems (DoDIIS) Conference 18-21 August 2019 - August 14, 2019
- Insights into threats, risks and opportunities - August 10, 2019
- Learn things your competitors wish you did not know - August 2, 2019