NIST Cybersecurity Framework: Fifth, Iterate and Adapt

By: Josh Mayfield | 8/29/2018

We come at last to the final stop on our journey to implement the NIST Cybersecurity Framework (CSF). In previous posts, we’ve looked at how to identify, protect, detect and respond to security risks. Here, with the final pillar of the NIST CSF, Recover, we get a chance to reflect on what has happened and incorporate that new knowledge to improve our people, process, and technology for greater cyber resilience.

Before looking at the tactics to enhance recovery from security incidents, it is important to note a shifting tide in the cybersecurity mindset. For decades, IT security teams woke up, poured a cup of coffee (or depending on your preference, cracked open a Red Bull), checked in on the latest office gossip, sampled the mind candy of social media and then…filled the rest of their waking hours with a looming assumption directing their actions: risk.

This seems reasonable. After all, we live in a world with plenty of danger. But in the past half-decade or so, this frame-of-mind has transformed from the assumption of risk to the assumption of compromise. It is here, in this mental state, that we can honestly approach the first sub-goal in the Recover pillar: Planning.


Think about it. If we close our minds to the possibility of compromise, how could we plan for recovery? If the first event (the compromise) is ruled out, we lose our ability to plan for it. Imagine being saddled with the belief that you are immortal. Would you create a will? Take out a life insurance policy? Find godparents for your children? Of course not.  Your mythical belief directs your actions in the present, including a refusal to plan for the inevitable fate toward which we are all hurdling.

One of the most important aspects of human reasoning is that we strive to know the truth. And the truth is that compromise will happen: user error, targeted attacks, lost or stolen devices, accidentally leaving an AWS S3 bucket open. Planning for these unfortunate events will go far to recover swiftly and rearm for a stronger cyber future.

When preparing for compromise, processes and procedures need to have a focal point, namely, to restore systems, data, access, applications, and users. It can be tempting to go with our gut during a security event. Panic sets in and we use rules of thumb and bias to guide our decisions. But the beauty of NIST Recover pillar is that it gives us the opportunity to develop plans when our emotions are not at a boil. Whichever procedures are fitting for your organization, planning consists in the maniacal pursuit to restore order; pressing procedures into a goal-directed aim as opposed to process for the sake of process.

By asking ourselves, “Does this part of the plan ensure restoration? Does it raise the probability of adequate (and speedy) recovery?” we get to pull back from bias and best guesses and come to grips with the goal: timely restoration.

Improve Identify, Protect, Detect & Respond

The second portion of the Recover pillar is a call to improve our other four disciplines—identify, protect, detect, respond—by weaving our new knowledge into our cyber defenses, along with our recovery plans for future incidents. It is at this point we are confronted again by the five essential questions that demand answers.

  1. What could happen? Security posture
  2. What should happen? Security policy
  3. What would happen? Security modeling
  4. What is happening? Security monitoring
  5. What did happen? Security investigations

By addressing these five questions, and bringing our hard-won knowledge to the table, we calibrate our NIST CSF disciplines to be sharper than ever. Because we are allowing the world to tell us if our theories about it are true. Was our posture strong enough? What policy changes need revisions? Which controls would alter the model? Were we seeing everything when monitoring? What clues are missing from the twisted metal in the wreckage?

Knowledge of what has happened in the real-world plays a critical role to improve cyber resilience.

Finally, our communications are laid bare and probed for weaknesses to coordinate information more effectively. We, humans, have a swollen cerebral cortex, which craves any opportunity to consume information. We are Informavores, we eat information. The goal of communication is information transfer, indeed, it is knowledge transfer.

There are four groups of Informavores we need to feed when communicating during recovery: the general public, affected data subjects, governments, and internal stakeholders. For the general public, communication needs to foster a sense of responsibility and resolve to improve cyber defenses. It does little good to raise your shoulders when telling the public about your most recent security incident; they simply do not care. The burden of responsibility is on the custodian…your organization. Just as stockholders hold management responsible for a company’s performance, the general public views your organization as a data guardian-by-proxy.

Communication to the general public is best when adopting consecutive, logically flowing statements: 1) this is what happened, 2) this is how we failed, 3) this is what we’re doing to make it right. There is no place for finger-pointing, shifting blame, or howling for the world’s sympathies. You won’t get it. So why waste your breath. Tell them the truth (including your own failures) and let them know that you’re taking steps to lower the probability of a repeat occurrence.

Second, we have to spoon information into the heads of those whose data have been affected. These include customers, business associates, and partners whose information has been compromised or stolen. Here too, we get a lot of mileage out of simply telling the truth. Not only can you lower the outcry of those data subjects miffed by the compromise, you can engender a newly discovered warmth and empathy. When stating the facts of the case, others can readily see themselves in your situation: “There but for fortune, go I”.

Then come government authorities, usually law enforcement. It may seem odd to see how criminal investigators perceive the organization who has suffered a compromise, like blaming someone whose home has been burgled.  However, the fiduciary responsibilities for any organization or company is a risk that comes when you open your doors for business. As the information garrison, you are accountable for safeguarding this data and may need to have difficult dialogues with badged officers of the law.

[bctt tweet="Openness and a commitment to not take things personally will be your best guide. - @joshuamayfield #databreachdisclosure #NIST" username="absolutecorp"]

Openness and a commitment to not take things personally will be your best guide. Give them the facts, allow them to reach independent conclusions, and keep your mind open to the possibility that a trained investigator may find something you could have missed. When this happens, you are the one receiving the forked chunk of information.

What should you do with this new knowledge? Well, we just saw how knowledge and information act recursively to feedback into our processes and procedures to improve cyber resilience. Would you scorn this education? Certainly not.  Which is why our prompts and base materials (the facts of the security incident) are so important for investigators to derive true conclusions from true premises.

Finally, there are internal stakeholders who care deeply about what has happened to the most precious resource in the universe: information. That statement looks like it is dripping with hyperbole. But when you consider how information and knowledge are deployed in ingenious ways, the picture becomes clear. Let’s take an example from our continuing successful campaign against disease and pestilence.

Hop in the DeLorean and take a ride back to the year 1650. Your local town has been ravaged by an infectious and painful disease that kills people in hours or days. Not only are you unaware that microbes are causing your friends and neighbors to die in agony, but you are terrified of what could become of your own health, body, and life. There, within sight, a mere three strides from you is a basin sitting next to an open hearth warm with fire. You could take your family’s drinking water and boil away the microbes thus avoiding the pathogens that will certainly leave you in a tomb. But you don’t know to do this.

From a close vantage point, it is easy to see that the disease (in this case, Cholera) slaughtered millions, but the ultimate reason for the tragedy was lack of knowledge. Knowledge placed human feet on the moon, allowed a single species to dominate every ecosystem, lets mothers live to see their newborns, and ultimately, what helps eradicates diseases.

If gold is the raw material for a Swiss timepiece if heated homes come from methane gas, and if fine porcelain originates with clay, then you can see how knowledge (the knowledge needed to change the world) follows from information as the source material. If you were in the jewelry, energy, or pottery business, would your internal stakeholders care about the fate of compromised or stolen loads of gold, gas, or clay? The question tiptoes toward the rhetorical. Of course, they would.

It’s easy to repeat the standard clichés about an ‘information economy’. All economies are information economies.  More appropriately, we can classify our contemporary world as a ‘digital economy’ where matter and materiel have been replaced by bits and bytes. Communicate with your colleagues, demonstrate what happened, and bring them up-to-speed on your steps to decrease risk in the future. You owe them that. You’re handling the source material that propels onward to our destiny.


We have come to the end of our journey to uncork the NIST Cybersecurity Framework. We have spilled tanker ships of digital ink on the subject, so I will not belabor the point here. To wrap up, let us return to my initial suggestion to see the NIST CSF as a gateway to realize effectiveness and efficiency.

There are two clear benefits for security teams using the NIST CSF: 1) Formalize security disciplines, and 2) Scale security operations. On the first point, cybersecurity teams have a wealth of knowledge and are capable of delivering world-class data protection for their organizations. When wrapping a structure around their abilities, the NIST CSF put focus on methods and improve effectiveness: you’re doing the right things. As for the benefit of scale, security teams can do more even when they’re saddled with a staff and skills shortage, because you’re doing things right.

We started with a word of encouragement to avoid anxiety and fear when cutting a path to adopt the NIST CSF.  Throughout the series, I’ve attempted to demystify the framework with mental images, called “Pillars”. These columns hold up the effective-efficient continuum, and I trust and believe that cyber resilience will become par for course in digital world.

I’ll say it again. The NIST CSF is formalizing what you’ve done for years. When you reflect on your own cyber programs and recall what happens in your daily life, you’ll notice how this is not new for you.

There is nothing to fear. Nothing.

This closes out Josh's deep-dive on the NIST Cybersecurity Framework. To read the full series, check out the previous posts:

  1. How to Use the NIST Cybersecurity Framework
  2. First: See Everything
  3. Second: Build a Moat
  4. Second: Build a Moat, Part 2
  5. Third: Go Looking for Trouble
  6. Fourth: Adopt a Bias to Action


You can also get a quick summary in our infographic. And, gain further insight from our recent webcast Nailing It! 5 Ways to Win with the NIST Cybersecurity Framework with Josh Mayfield and Forrester analyst Renee Murphy.

Financial Services