NIST (National Institute of Standards and Technology) cybersecurity framework is a set of guidelines for private companies (and mandatory for government organizations) to follow to better equip themselves in identifying, detecting, and responding to ever-challenging cybersecurity threats. The guidelines also help with preventing and recovering from any cyber-attacks.
Companies run on their own set of rules to tackle cybersecurity threats. This brings in a situation where there is a wide gap of standards as to how cyber threats can be handled.
Various companies are using technologies, rules, languages to tackle the menace of cyberattacks such as data piracy, ransomware, hacking, etc in different ways.
This difference in the standard of implementation of cyber security services across companies creates difficulty in having a unified strategy to tackle cyber threats.
Let’s take an example. There was a malware attack in your organization and you want to discuss it with your colleague in some other organization, either seeking help in mitigating the attack or making your colleague aware and alert of the same kind of attack in the future. Now, If the organizations have NIST CSF in place, they would know what to do with the information shared and hence help each other out. Otherwise, this sharing of information wouldn’t be of much help.
This makes the implementation of the NIST cybersecurity framework more important. With a unified strategy in place, companies across the states could share information and collectively reduce the risk of cyberattacks.
Seeing the common cyber threats that companies were facing, the Obama administration introduced the cybersecurity guidelines under the executive order. Later these guidelines were made mandatory for the federal agencies under the executive order signed by the previous president, Donald Trump.
For private sector businesses that generally don’t bid on government contracts, it is voluntary to comply with the NIST standards. However, given the implicit benefits that come with implementing the framework, it only makes sense to go with it. Moreover, adopting the guidelines shows that you are committed to data protection and developing strong security policies.
Read through the post and you will learn how the CISOs can simplify the implementation of NIST CSF for their organization.
It defines the activities you need to do to achieve certain cybersecurity results. This is divided into four different elements
The NIST cybersecurity framework has 4 implementation tiers. This gives you an idea about what compliance your organization has. Higher the tier, the more compliant you are.
NIST frameworks are so basic for online security that anyone who uses a computer must think about the cybersecurity framework.
You should use the NIST CSF if:
Well, see if the answer to any of the following questions is yes.
It would be the job of your IT department to implement it; however, your employees must be trained to follow it. Business managers and CISO must take up the task to see it through to completion and make sure it’s done properly.
Now that you know that NIST CSF is for your organization, let us see what could be possible roadblocks to its implementation.
The major roadblock in the implementation has been the huge investment.
Per a survey report on 338 IT and security professionals by Tenable Network Security, it was found that 84% of the organizations had implemented some kind of security framework.
The goal was to quantify the security framework adoption.
Most of the organizations that implemented the NIST framework were due to its best practices and requirements from other partners.
Per the report, the Information Technology industry was ranked 2nd in terms of implementation.
And out of those 16% organizations that didn’t have an existing cybersecurity framework, 14% insisted on a NIST framework in the future.
“Historically, CISOs have been hesitant to take full advantage of the NIST Cybersecurity Framework because of a high investment requirement and a lack of regulatory mandate,” said Ron Gula, CEO, Tenable Network Security. “This is changing as organizations begin to shift their mindset from moment-in-time compliance with frameworks like PCI DSS to continuous conformance with the NIST Cybersecurity Framework.”
More than half of the respondents admitted that the level of investment has been the major roadblock in fully conforming to the framework.
“The NIST Cybersecurity Framework is one of the most thorough and reliable cybersecurity frameworks available, but it can be challenging for CISOs to conform to these standards all the time,” said Gula.
The best way to achieve this is to map your business objectives to NIST control families.
For example, if your organization requires maintaining the integrity of the system as the top priority then going with SI controls would better match your organization’s needs.
Start with the subset of the control families and then make your initial control list to include vital primary controls. That way, you can implement control enhancements later when your NIST CSF program is more mature.
Select the base framework controls using the existing profile or select the NIST SP 800-171 which includes 80% of the NIST CSF and requires 20% of the effort.
This significantly reduces the number of controls to be adopted and enhances the overall security by implementing the full NIST CSF with a bit of effort.
Equally, distribute your efforts across all the five functions of the NIST cybersecurity framework. This will create a balanced program.
Though as daunting as it may look, the benefits of implementing the NIST cybersecurity framework can’t be overlooked.
Especially, in this pandemic era where WFH has become the new normal, organizations are more vulnerable to cyber attacks than ever. Implementing this framework helps mitigate the risks.
It indeed requires significant investment to implement it; however, the cost of a security breach is pretty high. Per a report by IBM, It rose to a whopping USD 4.24 Million in 2021. This calls for implementation.
Does your organization have implemented the NIST cybersecurity framework already? If not then contact our cybersecurity expert to help you secure your organization’s online presence.
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021