Corporations have struggled to manage cybersecurity risk for years, and now they have a new tool to help them bring order to chaos: a new and improved cybersecurity risk management framework, released at the end of February by the National Institute of Standards and Technology.
NIST, as the organization is known, publishes all manner of risk management frameworks, including for related challenges such as privacy, data security in defense contracting and artificial intelligence. Since 2014 one of its premier pieces of guidance is the NIST Cybersecurity Framework (CSF) – and last month, NIST released a Version 2.0.
CISOs, risk managers, internal auditors, and anyone else charged with worrying about cybersecurity risk would do well to give “CSF 2.0” a read. The framework and its companion resources are freely available and are expressly designed to be useful to any organization, of any size or industry.
So let’s take a look at CSF Version 2.0 (it’s only 32 pages long), and consider how you might put it to best use in your own organization.
How the NIST Cybersecurity Framework works
NIST published its first CSF framework in 2014 specifically for critical infrastructure companies, and in 2018 published a Version 1.1 intended for a much wider audience. Rather than define a long list of security controls that a business might implement, the CSF defines a series of security outcomes a business should want to achieve.
The exact controls a CISO might implement to achieve those outcomes are left to the CISO to decide, in consultation with their management team. The purpose of the CSF is simply to help the CISO, senior management, and the board think about those questions in a more productive manner.
CSF Version 2.0 continues down that path, with lots of practical advice and resources along the way.
For example, the first part of the CSF is known as “the Core.” It defines six basic capabilities that a cybersecurity function should be able to do:
- Govern the organization’s security by establishing a clear strategy
- Identify cybersecurity risks and threats
- Protect the company’s IT and data assets
- Detect when an attack is underway or a risk is too high
- Respond by using counter-measures to neutralize the attack
- Recover back to the organization’s normal state of operations
OK, that’s easy enough to grasp. The CSF then provides more detail, breaking down each of those six functions into “categories” and “sub-categories” to give you a more precise understanding of what your technology and people will need to be able to do, if you want to achieve those six capabilities.
The next part of the CSF helps you understand how well your business is or isn’t achieving those capabilities right now. Known simply as “CSF Profiles,” the framework walks you through the steps to identify your current profile (for example, “we’re strong at identifying risks but our response capability is a mess”) and your target profile (“and we need to take these steps to achieve the response capability we want”).
The final part of the CSF is a set of “tiers” that help the CISO understand how mature and robust your cybersecurity function is. The CSF defines four tiers, which might sound familiar to anyone who has used frameworks before:
- Partial, where you have only rudimentary security capabilities
- Risk-informed, where you at least have some sense of which risks need attention first, but you still struggle to address them
- Repeatable, meaning the security function works and can scale up, although it might struggle to address new risks
- Adaptive, where the security function can easily incorporate new risks and responds to threats swiftly and appropriately
You can see how this all fits together. The CSF helps senior management understand what a strong cybersecurity function should do (the Core); how far your current cybersecurity function is from that ideal state (the Tiers); and what will be necessary to close that gap (the Profiles).
How to Put the NIST CSF to Work
At this point you might be wondering, “Is this just a device to help me talk about cybersecurity? What about actually doing stuff, to help us stay in compliance?”
Don’t panic. The NIST CSF is a device to help senior management talk about cybersecurity – but the importance of senior management talking about cybersecurity is paramount. It’s how leaders from across the whole enterprise reach a consensus to say, “Yes, these cybersecurity steps are what we’re going to do,” so the rest of the workforce will follow.
Once those conversations happen, then the CISO can move forward with more specific policies, procedures, and controls – many of which might be guided by other, more exacting NIST frameworks that do include long lists of controls. (They could also be guided by ISO standards, the COSO framework, or other frameworks for privacy and cybersecurity.)
This is also where strong GRC software enters the picture. Keeping your internal control work on track – that is, keeping it in line with the vision for cybersecurity that you developed using the CSF – is no easy task. You’ll need tools to map existing controls to framework requirements, to assign tasks to specific “control owners,” and to generate alerts when those owners don’t do their required tasks according to schedule.
In other words, GRC technology to build a robust cybersecurity program – that’s the edifice sitting atop a strong, deep foundation. CSF is the framework that builds that foundation, by letting senior executives understand where their organization is right now and where it needs to be for strong security and compliance.
Ready to learn how NAVEX can help you align to relevant cybersecurity frameworks and improve your cybersecurity program? NAVEX IRM can get you started in days, not months with Out-of-the-Box solutions, and can be easily scaled and customized as your needs evolve.
