If you’re a manufacturer in a government supply chain, you’ve probably heard by now that it will no longer be enough to self-certify your cyber security stature. You’re going to have to prove that the data you store for the parts, products and services that you supply are protected from theft, alteration or kidnapping by following the NIST Cyber Security Framework.
Here are the top three problems that small and medium-sized manufacturers are encountering as they seek to comply with NIST cyber security guidelines – and keep their place in the supply chain.
1. The IT Team Doesn’t Know What to Do
Although a company’s first glance at the NIST Cyber Security Framework might look like it’s just a checklist, cyber security is an ongoing process that needs to be managed. There may indeed be a list of requirements but for each item on the list, you must provide controls as well as evidences that the control is being enforced.
Cyber security is complex and changing every day. It takes specialized expertise to know exactly how to interpret cyber security requirements and then to implement necessary controls. Small IT teams and many small IT support companies do not have staff that possess adequate knowledge.
Executives at manufacturing companies are finding that the only way they’re going to get the level of expertise they need to comply with the NIST Framework is to outsource from IT companies that have dedicated cyber security teams with highly experienced and credentialed staff.
2. Costs Rise as Security Requirements Increase
You might already be thinking that with more expertise, labor costs will rise and you’re right. Certainly, if your plan is to have your own in-house cyber security expert with a master’s degree and multiple certifications, that will be a big addition to your payroll. That’s another reason why business leaders are outsourcing cyber security expertise.
Costs increase with licensing of the sophisticated tools that you’ll need to improve your cyber defenses. For example, monitoring software that learns about the traffic patterns on your network is powered by Artificial Intelligence (AI). This software isn’t going to be a part of your IT team’s normal toolbox, but you’ll need it when you take security up a level.
Your entire staff will also need training. A good 60 – 70% of the controls that you’ll have to enforce have to do with policies and procedures around how staff access data. Training should be ongoing, and new employees will need cyber security training as part of the onboarding process.
3. Security Disrupts Processes and People
With increased security, comes changes in your normal business operations. People can become annoyed by extra steps that they must follow to access the data and systems they need to do their jobs. This makes it especially important for leadership to establish a culture of security.
If security initiatives come solely from IT, then IT becomes the bad guy that is making everyone’s life more difficult. When security is presented as a strategic capability and promoted by executives and ownership, then it’s possible to lead employees into an understanding that security is everyone’s responsibility.
Time to Explore Outsourced Cyber Security?
Whether you’re required to follow the NIST cyber security framework, or you’ve come to understand that you need to improve security to stay in business, you can get access to a whole department of cyber security experts at VC3.
The first step to figuring out what you need to do to comply with the NIST Cyber Security Framework – and security peace of mind - is getting an honest assessment of your current situation. Contact us for a Security and Risk Assessment.