Should You Implement the NIST Cybersecurity Framework?
Anyone who has ever chosen a workout program likely started with the same goal—to improve their physical health or strength. But in exercise, different people will choose to address different things—some may opt for a comprehensive workout like CrossFit, some may choose martial arts, and others may choose Olympic weightlifting. No matter what approach you choose, you’ll improve your well-being.
In today's digital age, the “well-being” of your cybersecurity is more important than ever. Just like beginning an exercise program indicates proactive steps to improve individual health, organizations must also take proactive steps to protect their information and assets against an increasing number of cyber-attacks and data breaches.
In this, you have several options to choose from, and while you won’t be choosing between kickboxing and Pilates, you will need to choose the best and most effective approach to cybersecurity for your organization. As cybersecurity assessors for over two decades now, we are well-versed in many of your choices in security standards, and, in this article, we’re going to explain the benefits of one in particular—the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
This may or may not be the right approach for your organization, but after we explain what this framework does and how it can help, you’ll know for sure.
What is the NIST CSF?
Developed by NIST in response to Executive Order 13636, the NIST CSF provides a set of guidelines, best practices, and standards to improve your critical infrastructure so that you can better manage and reduce cybersecurity risk.
Taking a risk-based approach, the NIST CSF relies on five core functions—each function includes a set of categories and subcategories that provide more specific guidance on how to implement the function:
NIST CSF |
Details |
Identify |
o Defining the current and desired states of your controls o Creating a plan to achieve that desired state of your security. |
Protect |
o Access management o Personnel awareness and training o Information security protection processes and procedures o Maintenance |
Detect |
Intended to help you better recognize the occurrence of a cybersecurity event through the implementation of appropriate procedures—the faster you detect a breach or other cyber event, the faster you can move to limit the fallout. · Necessary activities to implement include: o Continuous monitoring o Disclosure procedures o Event analysis for future prevention |
Respond |
o Incident response planning o Reporting and communications process o Mitigation plan for revealed vulnerabilities after a breach |
Recover |
o Recovery planning o Improvement of recovery procedures o Table-top exercises for communication with relevant resources |
You may have noticed a certain lack of specificity regarding controls—that’s because the NIST CSF is based on outcomes rather than controls. By addressing the functions in this completely voluntary framework, you can create a solid foundation for your cybersecurity that achieves the results you want.
5 Benefits of Implementing the NIST CSF at Your Organization
If the NIST CSF is voluntary, then why should you choose to implement it and use its guidelines?
In fact, as a standard for security, it can help your organization—no matter its size or your business—in several important ways:
Comprehensive Approach to Cybersecurity |
Because the NIST CSF covers all aspects of cybersecurity from identifying assets and assessing risk to responding to incidents and recovering from them, you can ensure that you have a well-rounded and effective cybersecurity strategy in place if you follow the framework. Moreover, the NIST CSF’s approach to managing and reducing cybersecurity risk is presented in a helpful way that guides strategic decision-making from key members of your executive management team. |
Flexible and Scalable |
As it provides a common language and framework for cybersecurity that can be customized to your specific organizational requirements, the NIST CSF can be adapted to meet the needs of organizations of all sizes and in all industries. |
Easier Compliance with Regulations and Standards
|
Many other cybersecurity regulations and standards, such as HIPAA, PCI DSS, Systems and Organization Controls (SOC) 2, and International Organization for Standardization (ISO) 27001, are aligned with the NIST CSF. By implementing the framework, you will better position yourself to meet any of those specific relevant requirements that may apply to your organization and better demonstrate your compliance to regulators, auditors, and other stakeholders. |
Improved Risk Management |
The NIST CSF’s risk management approach allows organizations to prioritize their cybersecurity efforts based on risks and vulnerabilities specific to your organization, helping you to allocate resources more effectively and make more informed decisions about cybersecurity investments. |
Enhanced Reputation and Competitive Advantage |
By implementing the NIST CSF and creating a solid cybersecurity foundation, you can demonstrate to customers, partners, and stakeholders that you take the growing cybersecurity threat landscape seriously—this can enhance their reputation and increase trust in their products, services, and brand. |
Once you implement the NIST CSF, you also have the option to have your efforts assessed by an outside third party. Investing further in this evaluation has its own benefits:
Can Help You Become More Cost-Effective |
Because you’ll also receive guidance and feedback from experienced cybersecurity professionals, a NIST CSF assessment can help you:
|
Weightier Objective Assessment |
Third-party assessments provide an objective evaluation of an organization's cybersecurity posture—as the assessor is not biased by internal company politics or other pressures, you, your customers, and your other stakeholders will feel further reassured. |
Getting Started with the NIST CSF
Choosing a cybersecurity framework can be like choosing a workout—you have to go for the one that is going to serve your needs best, and that may mean using the NIST CSF. With its five-function approach, the NIST CSF provides a valuable resource for organizations looking to improve their cybersecurity posture. By following its guidelines and best practices, you can reduce your cybersecurity risk, more easily comply with other relevant regulations and standards, and enhance your reputation.
If you are interested in getting started with the NIST CSF, you first need to self-assess your current cybersecurity posture using the framework—that will help you identify areas for improvement and prioritize your efforts as you develop a cybersecurity plan that incorporates the framework's five core functions and relevant categories and subcategories.
In the meantime, our other resources can also help you strengthen your cybersecurity practices in different specific ways:
About JEFF SCHIESS
Jeff Schiess is a Managing Director with Schellman. Jeff is focused on governance, risk and compliance (GRC) assessments, including performing System Organization Controls (SOC 1 and 2) reporting, Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, and NIST CSF. Jeff has worked with Fortune 1000 and publicly traded companies across a wide range of industries, including Software-as-a-Service providers, cybersecurity services, data center hosting providers, financial services, insurance claims processing, and information technology.