The cybersecurity threat and the need to ensure compliance continue to loom large in the business world. Boards and management want to know the current status of their cybersecurity posture, but it can prove difficult to get straight answers.
Overworked cybersecurity teams often lack the resources to do a thorough job and the skills shortage is worsening year after year. When IT and cybersecurity professionals were surveyed by ESG, 51 percent of respondents claimed that their organization had a problematic shortage of cybersecurity skills, up from 45 percent in 2017.
In the face of an ever-changing threat landscape, security professionals can use all the help they can get, and an effective framework can prove enormously helpful.
What is the NIST CSF?
NIST’s Cybersecurity Framework (CSF) is a crowdsourced set of best practices to help you analyze your cyber risk posture and work towards improving it. The product of a partnership between some of the best cybersecurity talent from the public and private sectors, this framework can be overlaid on top of your existing risk management frameworks and security programs.
Because it’s a customizable framework, it’s something that every organization can benefit from, irrespective of the type of business that they are in. It can also be usefully applied to small and mid-size businesses, not just large organizations. The NIST CSF encourages you to consider your business goals, understand your risk tolerance, and learn where your cybersecurity efforts should be focused.
And since better cybersecurity is a journey, rather than a destination, it also helps you measure your improvement over time, so you can see where you are, compared to where you want to be.
Preparing to adopt NIST CSF
To get the most from the NIST CSF you need to build a solid foundation for its implementation and that starts with management buy-in. This framework enables you to take a risk-based approach to security and so you need to engage the business to best understand the potential impact of different threats. It’s not a one-size-fits-all solution; it requires some tailoring.
In creating a methodology to identify, implement, manage and measure your program and your posture, it’s vital to consider how you are going to effectively communicate cyber risk to the business. Identify crucial data and delineate the biggest risks from a business perspective. The priorities for a manufacturing firm will be very different than those for a financial institution or a healthcare organization.
Practically speaking, build a comprehensive list of your data and devices — you need a full asset inventory. Identify your system vulnerabilities and ensure that you understand how best to manage them. Put systems in place to detect incidents in a timely fashion and test them to make sure they’re working as expected. Put a clear incident response plan in place and ensure everyone understands their roles and responsibilities regarding cybersecurity and test it on a regular basis with tabletop exercises.
Leveraging the framework
Having prepared by taking time to discuss business objectives with the relevant people, you should have a good idea what it is you’re trying to protect and where the greatest risks of major impacts to the business lie. That first, thorough risk assessment against the NIST CSF will serve as your baseline, and it’s necessary to enable you to develop your target profile and discover the gaps between the two, so you can fill them.
The NIST CSF is not a checklist; it’s supposed to be adapted for your business needs, takingyour requirements and constraints into account. Think of it as a way to establish triage for your cybersecurity efforts, so you can extract maximum value from your available resources, and not only achieve but maintain compliance.
Employing the NIST framework core functions
While the NIST CSF has five core functions — Identify, Protect, Detect, Respond and Recover — they shouldn’t be strictly treated as a series of steps to be completed chronologically, but rather a set of principles to be balanced in parallel.
Break them down into manageable tasks.
Identify risks to your systems, data, and assets.Consider visibility, because it’s only once you know what you must protect that you can effectively prioritize and carry out accurate risk assessments.
Protect your digital and physical assets by limiting access.Make sure you have security awareness trainingin place. Consider how to secure data integrity and maintain assets.
Detect anomalies through continuous monitoring — and ensure they’re flagged for the relevant people. Remember that you’ll need a baseline of normal traffic and behavior before you can hope to detect anomalies.
Respond to incidents swiftly to limit the damage.Develop a clear response plan, establish lines of communication between responsible parties on the business and IT side, and collect data about incidents, so you can analyze it and revise strategies as needed.
Recover from events and restore services. Follow a comprehensive recovery plan, bearing in mind that you’ll probably need to coordinate with external parties. Make sure you have a clear understanding of the actions required to recover swiftly and successfully.
The precise specifics of your NIST CSF implementation will depend heavily on your business, but this personalization also makes it more effective. Accept that it takes time and experience to craft and hone a truly effective framework, but with the right metrics and a commitment to develop and improve, the NIST CSF will have a profoundly positive impact on your security and compliance.