Cybersecurity Awareness And Risk Frameworks With Daniel Eliot Of NIST RIMScast podcast

Content provided by The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

RIMScast »
Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST

1d ago 45:13

MP3•Episode home

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

Justin Smulison interviews Daniel Eliot of NIST about NIST, its new publications on cybersecurity, including two Quick Start Guides, the Cybersecurity Framework 2.0, and more, Daniel’s history with cybersecurity for small businesses and his career-long passion for helping small businesses protect themselves against cybercrime.

Listen in for the latest information on NIST and cybersecurity guidelines for your organization.

Key Takeaways:

[:01] About RIMS.

[:14] RISKWORLD 2025 will take place in Chicago, Illinois from May 4th through May 7th. The call for submissions is now open through August 27th. A link to the submission form is in this episode’s show notes.

[:30] About this episode. We will be joined by Daniel Eliot from the National Institute of Standards and Technology, or NIST.

[:52] First, let’s talk about RIMS Virtual Workshops. The full calendar of virtual workshops is at RIMS.org/VirtualWorkshops. August 15th starts the three-part series, Leveraging Data and Analytics for Continuous Risk Management. Other dates for the Fall and Winter are available on the Virtual Workshops full calendar at RIMS.org/VirtualWorkshops.

[1:14] Let’s talk about prep courses for the RIMS-CRMP. On September 10th and 11th, the RIMS-CRMP Exam Prep will be held with NAIT. There is another RIMS-CRMP Exam Prep on September 12th and 13th.

[1:29] The next RIMS-CRMP-FED Exam Prep course will be hosted along with George Mason University on December 3rd through 5th, 2024. Links to these courses can be found on the Certification Page of RIMS.org and in this episode’s show notes.

[1:44] We’ve got the DFW RIMS 2024 Fall Conference and Spa Event happening on September 19th in Irving, Texas. Learn more about that event in Episode 299, which features an interview with the Texas State Office of Risk Management.

[2:02] Also on September 19th is the RIMS Chicago Chapter’s Chicagoland Risk Forum 2024. Register at ChicagolandRiskForum.org.

[2:12] Registration opened for the RIMS Canada Conference 2024 which will be held from October 6th through the 9th in Vancouver. Visit RIMSCanadaConference.ca to register.

[2:25] Registration is also open for the RIMS Western Regional, which will be held from September 29th through October 1st at the Sun River Resort in Oregon. Register at RIMSWesternRegional.com.

[2:38] We want you to join us in Boston on November 18th and 19th for the RIMS ERM Conference 2024. The agenda is live. The keynote will be announced soon. We want to see you there! A link is in this episode’s show notes.

[2:53] The nominations are now open for the RIMS ERM Award of Distinction 2024. Nominations are due August 30th. A link to the nomination form is in this episode’s show notes.

[3:07] If you or someone you know manages an ERM program that delivers the goods, we want to hear about it. A link is in this episode’s show notes. All RIMS regional conference information can be found on the Events page at RIMS.org.

[3:24] On with the show! In October, we will celebrate National Cybersecurity Awareness Month. You should observe it all year round, of course. My guest today has a lot of great insight into risk frameworks. He is Daniel Eliot, the Lead for Small Business Engagement in the Applied Cybersecurity Division of The National Institute of Standards and Technology (NIST).

[3:48] NIST is part of the U.S. Department of Commerce. Today, we will discuss some of the publicly available risk management frameworks and how they’ve evolved through the years and the new frameworks that address AI, as well.

[4:05] You may remember Daniel from his appearance on an episode in April 2020, when he was with the National Cybersecurity Alliance. He is back to provide some new tips for the global risk management community.

[4:18] Daniel Eliot, welcome back to RIMScast!

[4:42] Justin and Daniel comment on some things that have changed since April 2020. Daniel was at the National Cybersecurity Alliance (NCA).

[5:50] Now Daniel is the Lead for Small Business Engagement in the Applied Cybersecurity Division of The NIST. He shares his journey from NCA to NIST via the National Cybersecurity Center of Excellence, a NIST facility operated by Mitre.

[6:52] Daniel is happy to be back supporting the small business community.

[7:04] Daniel had worked in a small tech startup for almost seven years. He helped them scale the business and manage the development of their product. Next, Daniel joined the University of Delaware’s Small Business Development Center, helping tech businesses start and scale.

[8:16] Daniel applied for an SBA grant to help small businesses with cybersecurity. This was in 2014. The Cybersecurity Framework was published in 2014. Daniel applied the Cybersecurity Framework to small businesses. That started Daniel’s career in small business cybersecurity.

[9:32] There’s a new NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide. Daniel’s role at NIST is to coordinate across NIST, government, and the private sector, to create opportunities for the small business community to engage with NIST expertise.

[10:19] The RMF Small Enterprise Quick Start Guide is a product of that coordination across NIST, government, and the private sector community. In February, NIST produced the Cybersecurity Framework 2.0 Small Business Quick Start Guide.

[10:44] NIST decided to do a Quick Start Guide for a risk management framework for small to medium enterprises. The Risk Management Framework is a process. It’s a holistic and repeatable seven-step process for managing security and privacy risks.

[11:23] The NIST RMF Quick Start Guide provides an overview of the seven steps of the process, the foundational tasks for each step, tips for getting started with each step, a sample planning table, key terminology and definitions, questions to consider, and related resources.

[11:53] It’s RIMS plug time! Webinars! All RIMS Webinar registration pages are available at RIMS/org/Webinars. On August 27th, Riskonnect returns to discuss How To Successfully Deploy AI in Risk Management.

[12:12] On September 5th, Merrill Herzog makes their RIMS Webinars debut with the Role of Insurance in Building Resilience Against an Active Assailant Attack. On September 19th, Origami Risk returns to deliver Leveraging Integrated Risk Management For Strategic Advantage.

[12:28] Justin jumped ahead a bit. On September 12th, HUB International returns to deliver the third part of their Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics.

[12:44] Justin is delighted to be joined by the moderator for that session, the Chief Marketing Officer for Canada at HUB International, Linda Regner Dykeman. Justin welcomes Linda to RIMScast!

[13:13] The webinar will be at 1:00 p.m. Eastern Time on September 12th. Linda says they will be discussing current market trends and challenges. The industry has been able to produce some very strong profits over the last few years.

[13:29] The market needed correction after many years of unprofitability driven by weather events in the property line where rates seemed to be unsustainable. Casualty also had its issues, particularly with Directors and Officers Liability.

[13:47] As a result of the profitability the industry was able to achieve over the last few years, most carriers have become more competitive in growing their books of business. This competition is not being seen in all lines, segments, or geographies.

[14:04] Some catastrophe-prone zones such as BC and Alberta have not seen the same level of competition across the board. As the market transitions from a hard market to a competitive environment, there is some unusual and inconsistent behavior.

[14:21] Carriers in Canada are being more flexible with their appetite. London is looking to grow significantly over the next couple of years with goals of hitting $100 billion by 2025. Add to that NGAs who are seeing their market share change as local carriers become more competitive.

[14:39] As we transition out of what was considered to be a hard market, we see a lot of inconsistency in this market.

[14:48] Add to this the supply chain issues, which are not what they once were, the economy is flat with spending, once normalized for an increase in population, it reflects that of a market in a recession.

[15:02] We, as brokers are finding competitive solutions to protect our clients. We have to pivot and swerve to discover the right opportunities.

[15:13] We had a significant rain event in Toronto, followed by one of the worst wildfires Jasper has ever seen, seemingly a once-in-a-hundred-year event; weather catastrophes are more severe and more frequent.

[15:27] How is this going to change the availability of capacity and pricing? Time will tell, as insurers try to figure out if their pricing models included the right loadings for these events.

[15:49] Being informed by what is happening in the market; the trends, the opportunities, what’s available, and partnering with the right broker, will help a risk manager make an informed decision, appropriate for their business.

[16:11] The panelists have decades of experience and expertise across North America. They work with clients, markets, and other experts and bring a much broader perspective and experience to this session.

[16:26] Steve Pottle is the risk manager on the panel. He’s been omnipresent in RIMS Canada for years. He’s a former RIMS VP and is currently the Director for Risk and Safety Services at Thompson Rivers University. Justin says he’s one of the best and Linda agrees.

[16:57] Linda will moderate. She’ll ask the panelists questions HUB International has received from its clients, based on what they are seeing happening in the environment around them. She would also like the audience to pose some questions. Audience participation is encouraged.

[17:21] Justin thanks Linda Regner Dykeman of HUB International, and will see her again on September 12th, 2024 for the third installment of HUB’s Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics.

[17:37] Let’s return to today’s interview with Daniel Eliot from NIST.

[17:53] Daniel states that the Risk Management Framework is a repeatable seven-step process for managing security and privacy risks. It starts with preparation, categorizing, and understanding the information that your organization processes, stores, and transmits.

[18:20] Then you select controls, and implement those controls to protect the security and privacy of the systems. Then you assess, authorize, and monitor the controls. Are the selected controls producing the desired results? Are there changes to the organization that require new controls?

[18:45] You follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That’s why the framework has to be repeatable and flexible.

[19:05] NIST published this Risk Management Framework Smal Enterprise Quick Start Guide as a tool to raise awareness within the Small and Medium Enterprise (SME) Community about what the Risk Management Framework is and how to get started with it.

[19:26] This Quick Start Guide is not intended to guide you on your journey from start to finish for a comprehensive risk management implementation. It is a starting point.

[19:41] The Guide has an overview of the steps of the Risk Management Framework, some foundational tasks for each of the RMF steps, some tips for getting started, some sample planning tables, and graphics to help people understand concepts that might be new to them.

[20:02] NIST spent a lot of time defining key terminology, extracting terms out of the Risk Management Framework, and highlighting them in this Quick Start Guide. There are phrases and terms in the Risk Management Framework that some people new to it might not understand.

[20:24] For example, “authorization boundary.” The Guide highlights and illustrates what these terms mean in the Risk Management Framework and adds questions for organizations to consider and use internally for discussion. The answers may be different for every organization.

[21:12] This Guide is a derivative tool from the existing publication that went out for public comment. The Quick Start Guide did not go out for public comment but NIST has circulated Quick Start Guides to some small businesses they know to make sure it’s hitting the right note.

[21:56] Daniel monitors commentary and looks at how the Guide is received out in the world once it’s published. In every Quick Start Guide, there is an opportunity for people to contact NIST if they have questions or if there is an error. NIST is always open to feedback.

[23:03] In small businesses, Daniel finds the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. Anyone can use the Risk Management Framework. It’s a process.

[23:25] Federal agencies, contractors to the federal government, and other sources that use or operate a federal information system typically use the suite of NIST Risk Management Standards and Guidelines to develop and implement a risk-based approach.

[23:48] A lot of the audience for this Small Enterprise Quick Start Guide might be small universities, small municipalities, or small federal agencies implementing this Risk Management Framework.

[24:27] We have time for one more break! The Spencer Educational Foundation’s goal is to help build a talent pipeline of risk management and insurance professionals. That is achieved, in part, by a collaboration with risk management and insurance educators across the U.S. and Canada.

[24:45] Whether you want to apply for a grant, participate in the Risk Manager on Campus program, or just learn more about Spencer, visit SpencerEd.org.

[24:55] On September 12th, 2024, we look forward to seeing you at the Spencer Funding Their Future Gala at The Cipriani 42nd Street in New York City. Our recent guest from Episode 293, Lilian Vanvieldt-Gray, will be our honoree.

[25:11] Lilian is the Executive Vice President and Chief Diversity, Equity, and Inclusion Officer at Alliant Insurance Services and she will be honored for her valuable contributions to supporting the future of risk management and insurance.

[25:28] That was a great episode, so after you finish this one, please go back and listen to Episode 293.

[25:34] Let’s conclude our interview with Daniel Eliot of NIST.

[26:10] Daniel introduces the U.S. AI Safety Institute, housed within NIST. It’s tasked with advancing the science, practice, and adoption of AI safety across the spectrum of risks, including those to national security, public safety, and individual rights.

[26:39] The efforts of the U.S. AI Safety Institute initially focused on the priorities assigned to NIST under President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

[26:51] On July 26th, 2024, they released resources for a variety of aspects of AI technology. Two are new to the public. The first is an initial public draft of a guidance document intended to help software developers mitigate the risks of generative AI and dual-use foundation models.

[27:19] The other is a testing platform intended to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system. These are two opportunities for the public to provide comments on these publications and tools.

[27:49] There is a link to the call for comments in this episode’s show notes.

[28:03] At NIST, foundational publications go out for public comment. NIST wants to hear from U.S. citizens and people all over the world to get their perspectives on NIST’s approach to what they’re addressing. This is a community effort. Comment periods are important.

[28:37] From Daniel’s perspective of small business, he seeks the comments of small businesses on these publications. Authors need to hear from organizations, large and small.

[28:53] These two new publications are open for public comment.

[28:59] three releases are final publications. One is The AI Risk Management Framework Generative AI Profile, which helps organizations identify unique risks posed by generative AI. It includes actions for generative AI risk management.

[29:34] A second publication is the Secure Software Development Practices for Generative AI and Dual Use Foundation Models. It addresses concerns about Generative AI systems being compromised with malicious training data that would adversely affect system performance.

[30:16] The third publication is A Plan for Global Engagement on AI Standards. It’s intended to drive worldwide development and implementation of AI-related consensus standards. Standards require global input from businesses, governments, non-profits, and academia.

[30:57] These three final publications have been informed by public comment periods. They’re ready to hit the ground running and people can put them into action.

[31:15] Daniel is part of the Applied Cybersecurity Division of NIST. The U.S. AI Safety Institute is a different part of NIST.

[31:44] Every once in a while, public comments receive spammy messages.

[32:23] Daniel says all cybersecurity and privacy risk management comes back to governance and having policies and procedures in place, knowing your contractual and legal responsibilities. Organizations need policies that guide behavior for the appropriate use of AI in their business.

[32:59] Individuals in companies have pasted confidential company information into publicly available AI systems. That creates a vulnerability. Have a policy around the use of these tools.

[33:31] Criminals have used AI to upgrade phishing scams, reduce grammatical errors, and craft more convincing appeals.

[35:00] NIST is raising awareness of different ways of identifying phishing attacks besides looking for grammatical errors, such as looking at the links and the calls to action and other factors that show it is a phishing scam. AI is contributing to their increasing sophistication.

[35:43] Daniel shares his tip for new risk professionals. Familiarize yourselves with the suite of resources that NIST has available for cybersecurity and privacy risk management. They have a broad variety of risk management frameworks and resources, like the Quick Start Guide.

[36:42] There are online courses, extensive FAQs with answers, and archived talks from SMEs. Take advantage of these resources. Also, let NIST know what other resources might be helpful to you. The core of NIST guidance for any framework is good governance.

[37:21] Understand your mission and requirements. Create and maintain policies for good behavior. Understand your supply chain dependencies and vulnerabilities. Good governance sets your organization up for success when implementing and monitoring risk-mitigating controls.

[37:56] NIST offers consistent, clear, concise, and actionable resources to small businesses. Since 2018, they have maintained a website, NIST Small Business Cybersecurity Corner, with over 70 resources on the site, all tailored to small businesses. The Quick Start Guides are there.

[38:32] The resources include short videos, tip sheets, case studies, and guidance organized by both topic and industry. All the resources are free and produced by federal agencies, such as NIST, FBI, CISA, as well as nonprofit organizations. It’s a one-stop shop for this information.

[39:04] The resources are regularly updated and expanded to keep the content fresh and relevant. The resource library has the Cybersecurity Basics Section, with eight basic steps businesses can inexpensively implement to reduce cybersecurity risks.

[39:28] The Cybersecurity Framework Page highlights the CSF and small business resources related to the CSF. There is topical guidance on Multi-Factor Authentication, Ransomware, Phishing, Government Contracting Requirements, and Choosing a Vendor or Service Provider.

[39:53] All the resources are available at NIST.gov/ITL/SmallBusinessCyber. The link is in this episode’s show notes. The resources are there for you to use in your organization.

[40:30] Justin says, “It has been such a pleasure to reconnect with you here on RIMScast! I always love it when you post on LinkedIn! I think you’re great! You’re keeping me informed. Happy National Cybersecurity Awareness Month to you!”

[40:55] With developments in tech and AI, cybersecurity has taken a back seat, but Justin says it will come back pretty hard. Justin feels it will be sooner than four-and-a-half years for Daniel to return to RIMScast.

[41:23] Whatever new technology comes out, cybercriminals are looking at it to see how they can exploit it. There will always be a cybersecurity component to it.

[42:05] Daniel Eliot, thank you so much for rejoining us here on RIMScast!

[42:10] Special thanks again to Daniel Eliot of NIST for rejoining us here on RIMScast. Lots of links are in this episode’s show notes to aid small enterprise owners and risk professionals.

[42:25] These resources are publicly available and complimentary, so by all means, use them and leverage them to ensure your organization’s cyber resilience. I’ve got lots of links in this episode’s show notes for more cybersecurity coverage from RIMS, as well.

[42:44] It’s RIMS plug time! The RIMS App is available to RIMS members exclusively. Go to the App Store and download the RIMS App with all sorts of RIMS resources and coverage. It’s different from the RIMS Events App. Everyone loves the RIMS App!

[43:18] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[44:02] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[44:20] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[44:36] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org.

[44:58] Thank you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

DFW RIMS 2024 Fall Conference and Spa Event | Sept 19‒20

Chicagoland Risk Forum 2024 — Presented by RIMS Chicago Chapter — Sept. 19, 2024

RIMS Western Regional — Sept 29‒Oct 1, Oregon | Registration is open!

RIMS Canada Conference 2024 — Oct. 6‒9 | Registration is open!

Spencer Educational Foundation — Funding Their Future Gala 2024 | Sept. 12, 2024

RIMS ERM Conference 2024 will be in Boston, MA Nov. 18‒19 | Register Now

RIMS ERM Award of Distinction — Nominations Open Through Aug. 30, 2024!

RISKWORLD 2025 will be in Chicago! May 4‒7

Education Content Submissions for RISKWORLD 2025

NIST Risk Management Framework Small Enterprise Quick Start Guide Cybersecurity Framework 2.0 Small Business Quick Start Guide

NIST Small Business Cybersecurity Corner

U.S. Artificial Intelligence Safety Institute

New Guidance and Tools to mitigate AI Risks

Managing Misuse Risk for Dual-Use Foundation Models

Testing How AI System Models Respond to Attacks

Users can send feedback to: dioptra@nist.gov

RIMS DEI Council

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RIMS Strategic & Enterprise Risk Center

NEW FOR MEMBERS! RIMS Mobile App

RIMS Webinars:

How to Successfully Deploy AI in Risk Management | Sponsored by Riskonnect | Aug. 27, 2024

Role of Insurance in Building Resilience Against an Active Assailant Attack | Sponsored by Merrill Herzog | Sept. 5, 2024 HUB Ready for Tomorrow Series: Pivot and Swerve — Staying Agile During Shifting Market Dynamics | Sept. 12, 2024 Leveraging Integrated Risk Management For Strategic Advantage | Sponsored by Origami Risk | Sept. 19, 2024 RIMS.org/Webinars

Upcoming Virtual Workshops:

Leveraging Data and Analytics for Continuous Risk Management (Part I) 2024 — Aug 15

See the full calendar of RIMS Virtual Workshops

RIMS-CRMP Prep Workshops

Related RIMScast Episodes:

“Daniel Eliot’s 2020 RIMScast Debut: Cybersecurity Tips for Small Businesses”

“300th Episode Spectacular with RIMS CEO Gary LaBranche”

“Mid-Year Risk Update with Morgan O’Rourke and Hilary Tuttle”

“Emerging Cyber Trends with Davis Hake”

“Cybersecurity Awareness Month with Pamela Hans of Anderson Kill”

Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST

RIMScast

13 subscribers

published 1d ago