Initially developed for critical infrastructure, the National Institute of Standards and Technology established a framework for improving cybersecurity, now referred to simply as NIST CSF.
At the core of NIST CSF are five functions, and 22 categories within the five functions, which provide a roadmap for organizations to follow and strengthen their defense against cyber-threats. Think of it as a common language that can be understood from the top to the bottom of your organization, regardless of size or industry. Instead of being compliance, it’s a customizable strategy that can be applied to existing security programs, or used to build one from the ground up.
Here are five reasons your organization should take advantage of NIST CSF.
It will help you understand the risks your company faces.
The first function of the NIST Core is “Identify”, which they define as “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
Hopefully your security program has already performed a risk assessment. If not, put it at the top of your to-do list so you can then develop a risk management strategy. NIST CSF infuses this process as a standard part of protecting your organization and assets, by breaking it down into the following categories:
- Asset Management – data, personnel, devices, systems, facilities, etc.
- Business Environment – your organization’s mission and objectives, used to establish cybersecurity roles.
- Governance – the management of cybersecurity risk via policies and procedures.
- Risk Assessment – gaining an understanding of the specific risks to your organization and your operations.
- Risk Management Strategy – how you prioritize your strategy to protect your organization from cyber threats.
It will prepare you for future legislation and regulation.
NIST CSF is completely voluntary. At least for now. However, it wouldn’t be surprising to see elements of the Framework adopted by future regulations, or for the Framework to become a requirement for every company that has access to sensitive data. In fact, we can learn a lot from the GDPR (General Data Protection Regulation), which is set to become the standard compliance in the EU.
The GDPR requires all organizations, regardless of location, to “implement appropriate technical and organizational measures, and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
This is referred to as privacy by design and default, which is a concept that has been around for a while and one that many compliance regulations utilize in one form or another. The NIST CSF has this baked into its general structure in a tiered approach starting with the five functions and their 22 categories.
By adopting the Framework, your security program will not only be more resilient to cyber-attacks, but will automatically be prepared to make adjustments as new legislation comes down the pike.
It’s 100 percent inclusive.
What is meant by inclusive is that the Framework fits all organizations regardless of size or industry. It is not specific to heath care or finance or education. Rather, it’s completely flexible and easily adoptable to existing programs.
It’s also cost-effective. Outside of maybe a few technological upgrades, the Framework is a concept and not a product. It’s a business strategy that measures the bottom line of security efforts and identifies desired outcomes by utilizing three primary components: the Core, Implementation Tiers, and Profiles. Each component works together in creating an overall strategy that includes things like risk-assessment, asset management, access control, employee training, policies, and incident response.
It will help communication across your entire organization.
Communication is one of the key elements for success in business and cybersecurity alike. NIST CSF creates a language that can be understood from the highest levels of IT and management to the front desk.
This top-down approach stokes company-wide involvement and naturally creates a culture in which your employees and co-workers understand the scope of their roles. This is especially imperative when security events occur. Time is of the essence and the sooner an organization can, as a whole, identify and respond to an event, the easier the path is to recovery. This is much more difficult without a proper signal flow of communication, which is what the Framework is built on.
It utilizes a continuous learning model.
Here are the five functions of NIST CSF and their definitions:
- Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
- Protect – “Develop and implement the appropriate safeguards.”
- Detect – “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
- Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
- Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
The next step is Repeat. This approach to security creates a cycle in which the organization continuously identifies its weaknesses and builds on its strengths. Security awareness programs greatly benefit from continuous learning as a way of training employees. NIST CSF takes that to the next level by applying it to every aspect of running a business, as illustrated below (which comes directly from the NIST website):
To learn more about NIST Cybersecurity Framework and what it can do for your organization, but sure to check out the official website, which has a ton of great resources such as FAQs, instructional videos, presentations and much more: https://www.nist.gov/cyberframework
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019