Shortly after the 9/11 terrorist attacks rocked the United States in 2001, the National Institute of Standards and Technology began awarding grants to companies to support private-sector initiatives aimed at protecting America’s critical cyberinfrastructure. NIST is a nonregulatory arm of the U.S. Department of Commerce, and at that time, it was one of the first organizations working to help businesses (small and midsize businesses, in particular) find ways to protect themselves against cyberattacks.
In May 2017, U.S. President Donald Trump gave an executive order that agency heads must incorporate the NIST Cybersecurity Framework, also known as CSF. However, Kevin Stine, the chief of the applied cybersecurity division at NIST, has since reiterated that the CSF is voluntary; it’s a tool that organizations can reference and a standard by which to judge an organization’s progress.
Some common framework misconceptions
Although the NIST agency has been around since the early 20th century, it’s not exactly well-known outside of technology circles. Even in those circles, there exist some common misconceptions about what NIST actually is or does.
CSOs, CISOs, and other security leaders often confuse the organization with the cybersecurity framework that it has developed. Although the framework has been more widely adopted in recent years, some business leaders are still under the impression that it applies only to government organizations. Fortunately, that’s not the case. Everyone can — and should — apply it to their businesses.
Because NIST is a nonregulatory agency, it can’t certify an organization as compliant; what’s great about the framework is that it has proliferated, it’s easy to understand, and it has been thoughtfully developed. Moreover, it has evolved with the times — the digital world now looks very different from the landscape of just two decades ago, and NIST’s framework provides security professionals with a common lexicon to help them manage risk in an always-changing business environment.
In fact, it’s not necessarily required for companies to adopt each part of the framework to see positive results. According to a survey of IT and security professionals conducted by Dimensional Research, 64 per cent of respondents said they applied only parts of the framework. It’s possible to gain results by adopting only portions of the framework, and it can be worthwhile to break up the process for organizations that are just beginning the adoption journey.
Putting the framework to work
All of the above are reasons to feel good about relying on the framework when assessing your cybersecurity posture. However, don’t forget the following principles as you do:
1. Start with why.
Simon Sinek’s advice (“Start with why”) has become gospel among marketing and internal communications professionals, but it’s equally applicable to leaders of cybersecurity initiatives. The answer to the “why” provides the North Star you will need to efficiently invest in the solutions and people required to implement those portions of the NIST framework that make the most sense for your business.
If you are a CSO, CISO, or another tech leader, you should always make decisions using a why-what-how approach. Without first articulating why you need particular tools or personnel, you’ll find it hard to get buy-in from other executives as you develop your security program. Even if you already have that buy-in or the freedom to make your own decisions, do not just go buy and hire. Build your plan around objectives rather than specific technologies and you will have an easier time conceptualizing and communicating its importance.
“Why” will also inform the Framework Implementation Tiers, which provide the context around how your organization views cybersecurity risk and its processes for managing that risk. Recall that tiers describe the degree to which your cybersecurity risk management practices exhibit the framework characteristics ranging from “partial” in Tier 1 to “adaptive” in Tier 4.
Lastly, understanding your “why” will also inform the development of the requisite framework profile(s) for your industry, company, or department as identified through your risk management processes. Profiles demonstrate the evaluation of mission versus the cybersecurity framework and the resulting priorities. These profiles are essential to ensuring your plans are consumable across roles, thus facilitating security investment discussions with C-suite executives and measuring progress against objectives.
2. It takes more than one party
There’s no panacea when it comes to cybersecurity — and that’s true whether you’re a tiny startup or a massive Fortune 500 company. The NIST framework helps you understand and address your security needs in the context of a five-pillar system (identify, protect, detect, respond, recover), and it can be a great starting point for your organization. Even selective adoption can yield results, and the NIST was designed so that you can tailor it to support your specific business objectives
That said, the shared responsibility model of PaaS and the nebulous nature of relationships between cloud entities can make visualizing your infrastructure — and thus your security posture — pretty tough. Simply put, the cloud comes with a lot of unknowns, and things can easily go wrong. Depending on the complexity of your infrastructure, it’s likely that you’ll need to partner with multiple third parties to ensure that you’ve covered all your bases.
3. Focus on people.
When thinking about NIST’s guidelines and other cybersecurity frameworks, it’s often easy to forget about the people who build and manage them, and who they’re ultimately in place to protect. Regardless of which strategies and technologies you decide to implement, you’ll need the right people to help you ensure that they work effectively — that includes everyone from the C-suite to the newest entry-level employee.
Just as it’s important to communicate your why, it’s also important to humanize your governance plan as much as possible. Remember, people will be spending valuable time and energy working toward it. Without articulating how your plan will directly impact the individuals on your team, you may find it hard to keep them motivated. Similarly, be thoughtful about assigning ownership over key tasks. When you make two people responsible for the same function, it’s easy for each to assume that the other is handling it. Unfortunately, scenarios like that are often at the heart of costly data breaches.
Editor's Note: Since publishing the article, we've been contacted by NIST, saying that while Kevin Stine is talking about private industry in the second paragraph, the Cybersecurity Framework is *not voluntary* for federal agencies.
Pete Thurston, chief product and solutions officer, RevCult