Learn What NIST’s Cybersecurity Framework Can Do For You

An invaluable roadmap for InfoSec management

veterans fill cybersecurity gap
Credit: Thinkstock

The meteoric rise of cybercrime has caught many organizations unawares. Malware has spread from PCs to smartphones, phishing scams have grown more sophisticated, and ransomware is running rampant.

You can hire hackers and botnets, or buy cybercrime software, complete with technical support, all too easily. The rapidly expanding Internet of Things is woefully insecure, creating many more access points that can be exploited by hackers.

In the face of this growing threat, we need to find practical strategies that can be employed to mitigate risk and protect our data. One such strategy can be found in a National Institute of Standards and Technology (NIST) document called the Cybersecurity Framework.

What is NIST’s Cybersecurity Framework?

The product of extensive collaboration in the security industry, this document is a constantly evolving framework designed to help organizations strengthen their defenses, benefiting the entire community from state governments to banks to retail chains and beyond. It’s a comprehensive, flexible guide that presents important principles to help you build the necessary culture to stay ahead in the race against cybercriminals.

“The NIST Cybersecurity Framework should be the cornerstone of your cybersecurity strategy,” says George Wrenn, CEO of CyberSaint Security. “It’s time to run cybersecurity as a business function with clear goals and measures based on a national framework.  You want the ability to communicate your posture to all your constituents.”

Establishing common standards

Because everything is interconnected, the architects recognized the need for a collaborative and holistic approach that’s inclusive. The framework provides a common, accessible set of reference points for everyone from InfoSec professionals to executives across industries, helping to strengthen their cybersecurity strategies, not just individually, but also collectively.

NIST’s framework ensures that everyone is speaking the same language, making it easier to share and discuss tactics, and to plan, deploy, and improve cybersecurity strategies.

Whether you’re establishing a cybersecurity program, or you simply want to strengthen what you already have in place, NIST’s framework can help. By following it, organizations can get a clear view of the current state of their cybersecurity, they can establish targets, identify potential improvements, assess progress accurately, and communicate about cybersecurity risks both internally and externally.

Adoption reached 30% within two years, according to Gartner, and that’s expected to rise to 50% by 2020. Broad adoption furthers everyone’s understanding and fosters the creation of automated tools and processes to help companies quickly and effectively prove due diligence and compliance through their cybersecurity strategy.

Measuring your evolution

Just as cybercriminals evolve and develop new tactics to uncover fresh vectors of attack, our cybersecurity defenses should be agile and constantly improving. The framework is a risk-based approach that’s broken down into three parts. The depth of detail contained within is beyond the scope of this article, but here’s a brief overview:

The Framework Core focuses on five functions: Identify, Protect, Detect, Respond, and Recover. They can be adapted for any organization or situation. They’re not intended as a path to follow, but rather as a concurrent and continuous set of functions that can deliver a big picture view of the health of your cybersecurity strategy.

The Framework Implementation Tiers help organizations to characterize their practices. There are four tiers and selection requires careful consideration of risk management tactics, likely threats, legal and regulatory requirements, organizational constraints, and, of course, business goals. The idea is to help organizations to progress from informal, reactive responses to threats, and help them become agile and risk-informed.

The Framework Profile empowers organizations to identify opportunities for improvement by revealing the gaps between their current strategy and their target state. It can be configured to encompass security goals and priorities, tempered with business needs and cost-effectiveness.

Ultimately, the framework is flexible enough to cater for any industry, providing an effective way to establish a baseline, set goals for improvement, and continuously assess progress.

But there’s also recognition that the goalposts are constantly moving. Rather than setting a course for an endpoint, we need to continually ask the right questions and define strategies that adapt to meet perpetually changing threats. By being proactive in our risk management, we can stay one step ahead of the cybercriminals.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10