The threat landscape has evolved, the attack surface has mutated, and everywhere you look the cybersecurity skills shortage leaves more to do than there are people to do it. One way to push back on these pressures is to adopt a cybersecurity framework (CSF).
There are two clear benefits for security teams using CSFs:
In the U.S., the National Institute of Standards and Technology (NIST) was tasked with crafting a repeatable framework for cybersecurity (NIST CSF), which they did in 2014. When President Obama signed the Cybersecurity Act of 2015, NIST was delegated to support companies looking to adopt formal security disciplines and scale their cybersecurity operations. The method has since seen wide acceptance and has been supported by the Trump Administration.
The NIST CSF makes use of specific actions that organizations can perform to see success in their cybersecurity programs. Think of this as a blueprint to a building: follow the architect’s plans and you’ll have a well-engineered structure. This blueprint mentality is helpful for diverse companies that have different needs, users, data, and markets. A retailer doesn’t look much like an airline, nor does a manufacturer have the same concerns as a bank. However, by focusing on the cybersecurity actions, NIST CSF can be flexibly deployed regardless of the setting or industry. It’s the verbs that make a difference.
The NIST CSF calls on organizations to pinpoint data and the devices that store, transmit, and process information. This translates into an inventory of both hardware and software that play host to data processing and storage. Beyond the mere catalog of hardware and software, NIST CSF requires putting a finger on vulnerabilities in the environment. This is essential to any cybersecurity success. Vulnerabilities put data at-risk, because where there is weakness there is opportunity; specifically, opportunity for exploit.
The NIST CSF requires organizations take proactive steps to ensure data is protected and that risky assets are thoroughly managed throughout their lifecycle. Special attention is given to removal, transfers, and disposition of assets and data. That’s a compliance-writer’s way of saying, “Manage the lifecycle, cradle to grave.” Once your environment’s inner pockets and corners have been brought into the light (identified), security teams must protect that data: build a moat. This is where folk wisdom has traditionally led our security programs into jeopardy: “We have a firewall. Our data is protected”. Unfortunately, the headlines alone show what happens with this false sense of security. We will explore this hobgoblin of human intuition in our later blog on data protection under NIST CSF.
The third pillar of the NIST CSF pushes organizations out of a cozy comfort zone. I cannot begin to count how many conversations I’ve had with cybersecurity leaders who are positively phobic about looking for failures in their environment, “If we find something, that could mean that all the time, money, and effort we’ve spent was for nothing.” But if recent events have taught us nothing else, it illustrates that our best efforts to protect data can be upended by changing circumstances, user blunders, and tenacious cybercriminals. Notice how none of these factors indict your security program…quite the opposite. These threats do not arise from faulty or ineffective security, but from changes in circumstance. Since we live in a world that refuses to quit moving, we can expect change at every turn. With this expectation in hand, we can use specific techniques to spot trouble before disaster strikes.
Responding to vulnerabilities and threats tends to look like a fire drill. The NIST CSF helps to rationalize your response to bring order to the madness. For many cybersecurity pros, this is the sticking point of any security program, because it is where folk wisdom becomes so enticing. However, when you follow the NIST CSF response guidelines, you will become better equipped to enhance your bias to action with specific, pointed steps to ensure speed and accuracy. In an upcoming post, we’ll examine these steps and show the difference between your response to exposure and your response to compromise.
Finally, NIST CSF drives security teams to swiftly recover when bad things happen. It is vital to understand that recovery is much more than returning to the pre-compromised state. Instead, the NIST CSF pushes security teams to iterate by questioning assumptions, changing security controls, and taking our new knowledge of what can happen to influence cybersecurity decisions. This introspection is a key component of the NIST CSF and you can see it throughout the framework: don’t assume, ask questions, base decisions on facts rather than intuition. We’ll take a closer look at recovery after a security incident, how communication flows, and what practical adjustments can lead to stronger resilience.
Putting the NIST CSF in place can be stressful – it’s easy to fear what we don’t understand. But with careful, deliberate, and specific actions, implementing this cybersecurity framework can mean success.
You’ve been doing this for years - you’ve paid your dues with mistakes and errors, you’ve stamped out threats before they became breaches, and you can fix vulnerabilities in your sleep. Literally. Sometimes the middle of the night is the only open window to perform patches. This is not new for experienced cybersecurity pros. It is foundational to the craft, the art, and the science of security operations.
Editor's Note: To learn more about the NIST Cybersecurity Framework and how to use it for improved security, join the webinar Nailing it! 5 Ways to Win with the NIST Cybersecurity Framework. Josh will be joined by Forrester analyst, Renee Murphy.