As cybersecurity continues to mature and be at the top of everyone’s mind, a natural shift has occurred from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated to their valuable assets.
Blocking every threat would be nice but is cost-prohibitive (not to mention nearly impossible). Instead, organizations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerances levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.
The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity,’ which called for a standardized security framework. Existing frameworks like NIST 800-53 and ISO 27001 provided specific controls and processes, while the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program from a more strategic, business-centric view.
Why use NIST CSF?
One of the major benefits of NIST CSF is that it’s far less prescriptive than other cybersecurity standards as it is more open to adaptation. Any organization can use NIST CSF to identify and fill gaps in their cybersecurity program. That said, while the framework can be useful for achieving compliance goals, it is not a compliance exercise. Instead, it’s a tool to assess, identify risks and put controls in place to address them.
The framework categorizes cybersecurity maturity in four tiers:
- Partial: Controls are put in place ad hoc and issues are mitigated reactively.
- Risk-informed: Controls are in place but usually not organization-wide.
- Repeatable: Controls are formally approved and consistently implemented.
- Adaptive: Controls are continually updated to reflect current threats and activities.
Moving from one tier to the next requires a cultural change, investment of time and resources, and formal coordination between cybersecurity and the rest of departments within the business.
NIST CSF provides a ‘closed-loop’ for continuous improvement in cybersecurity. By regularly assessing the current state of different controls and setting objectives for improvement, an organization can systematically reduce cyber risk.
Incorporating NIST CSF into your cybersecurity program
The framework does not meet every organization’s needs nor is it intended to replace others. NIST CSF is a descriptive (not prescriptive) framework, designed to be adapted to the needs of any type of organization. To get the maximum benefit, security leaders need to assess where the framework fits within the company’s needs and where it doesn’t. They also need to be mindful of the framework’s gaps (e.g. emerging technologies) that might be overlooked and consider complementing the framework’s controls with others specifically design for the current business and security challenges.
Organizations aren’t limited to using one cybersecurity framework. NIST CSF works well with other available frameworks, which may incorporate a blended set of controls because they fit both business and security needs. This is also applicable when an organization intends to obtain a certification (e.g. ISO/IEC 27001) or needs to meet regulatory requirements.
In addition, if the organization is coming from a place of low cybersecurity maturity, NIST CSF can be the steppingstone to build a foundational cybersecurity program. Next steps would be to develop a reasonable and attainable roadmap that can be created to improve said maturity for the future state.
Through the process, it is vital to get the buy-in from the business. This is to ensure that security is built into the culture and that the framework is formally integrated, aligned, and prioritized in the day-to-day operations.
NIST CSF assessments
A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year; however, in lesser or unregulated industries, it is recommended to get an assessment every two years due to the continual evolution of threats.
A typical NIST CSF assessment follows three steps:
- Step #1: Interviews and workshops with relevant subject matter experts and control owners.
- Step #2: Review of documentation (policies, standards, and procedures) and evidence of controls in place.
- Step #3: Report on the detailed findings, risks, and recommended steps to remediation control weaknesses or gaps in the current cybersecurity program.
It’s important to work with a qualified, independent assessor who has seen how the controls are applied across different industries and similar organizations. An experienced assessor can give organizations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organization is well protected.
Leveraging a professional brings many benefits for an organization, including:
- Uncover control weaknesses and hidden/unknown risks. Interviews include discussions on how and where systems are connected and protected, which often uncover unknown risks. Likely to happen when operational and security departments act as silos and/or don’t have formal and centralized processes.
- Identify areas where additional resources would help reduce risk. Risk reduction is fundamental, and NIST CSF assessments are valuable to identify the most important areas for investment of human, technology, and financial resources.
- Realign cybersecurity priorities based on independent perspectives. It’s easy for decision-makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
- Address questions from executive management. An assessment provides an impartial answer to “Are we covering all major information security risks?” and boosts executive confidence in the program.
If you choose to work with an assessor, remember to always be transparent. Sharing all weaknesses enables the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.
Risk assessment for Covid-19 and beyond
Covid-19 showed us the importance of having plans in place to address business continuity, security in the supply chain, and vendor risk focused on the resources that affect the organization’s up-stream and down-stream operations. Many organizations found themselves in the uncomfortable position of having to alter business operations because they didn’t assess or develop action plans.
Leveraging the NIST CSF, organizations can work on their cybersecurity maturity in a time when threats are constantly on the rise. Having a qualified assessor review your organization’s cybersecurity program, specifically using NIST CSF, can be helpful to identify risks that aren’t intuitively obvious but could cause serious disruption when they become a reality.
Cory Steinbicker, Senior Advisor – Strategy & Governance, Kudelski Security