5 Tips For Understanding the NIST Cybersecurity Framework


The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has become an essential resource for businesses that are developing an organization-wide cybersecurity program. Organizations of any size can apply the guidance which is recognized globally as a “best practice”.

Cybersecurity risks are a given factor that every business must face. According to Varonis, businesses suffer losses at an average of $3.9M from a cyber attack. A single attack may paralyze business operations, damage stakeholder confidence and even close an affected business.

NIST developed the Cybersecurity Framework to support organizations responding to a growing cyber threat. Gartner Research projects that by the end of 2020, nearly 50% of U.S. organizations will use the NIST Cybersecurity Framework. The framework was originally for critical infrastructure but the global adoption of the framework by numerous organizations is an indicator of its trusted reputation.

TIP #1 Benefits organisations of all sizes

When it comes to cybersecurity solutions, the NIST Cybersecurity Framework (CSF) is an excellent resource for developing a new cybersecurity program or bolstering an already existing program. It is designed to assist organisations of all sizes in identifying risk and developing mitigation and response capabilities.

While results drive the framework, it does not specify how an entity has to accomplish it, thereby allowing for scalability. Smaller organisations will benefit by focusing on getting the framework into operation in a modular fashion by creating a road-map that is “fit for purpose”.

TIP #2 Delivers Best practice

The NIST CSF handles the lack of cybersecurity standards by providing a high-level taxonomy of cybersecurity outcomes and a methodology for measuring and handling the results.

For a business owner that is inundated with the complexities of cybersecurity and faced with a large number of cybersecurity solutions, this is of great value. Cybersecurity is a young industry with large variances in how companies use technology, processes, access control and other security controls to reduce the risk of cyberattacks. Examples of prevalent attacks are ransomware, business email compromise, man-in-the-middle attacks, phishing, email spoofing, domain hijacking, spear phishing, data breaches and other malware types. The framework is structured to help companies benefit from good practice and not get fixated on technology solutions only.

TIP #3 Conquers the communication gap

Today, for many senior executives, the cybersecurity jargon might feel like hieroglyphics — a mysterious language that requires translation. Peter Drucker said: “If you can’t measure it, you can’t improve it” … basically if you can’t measure something and know the results, you can’t possibly get better at it. There is a pressing need to transform cybersecurity assessments, IT metrics and information security into the common language of risk management. Assessing the efficacy of security procedures for an organization sometimes falls short of measuring the more sophisticated threats, such as credit and business. Not surprisingly, the very complex, high-velocity, and rapidly changing cyber risk does not yield conventional metrics that are usually used by company executives and board members.

TIP #4 Facilitates the compliance journey

Organisations adopting the framework are more equipped to amend policies and rules and meet the requirements of emerging legislation. Privacy legislation such as POPIA and GDPR can be met by using the CSF as the basis for their security requirements.

The major challenge for many CISOs and security leaders is the growing requirements of privacy legislation across industries and geographies. The NIST CSF is a credible framework for developing and iterating a cybersecurity management system to prepare for emerging requirements and current regulations and updates.

TIP #5 Addresses supply chain cyber risk

As organisations and their partners become more interconnected, cybersecurity risks can put all involved parties at risk. Even organisations protected by sophisticated security tools have no certainty that suppliers also have the same levels of protection.

Supply chains present a weak link for cybersecurity because the security measures taken by supply chain partners are not always controlled by organizations. It can offer cybercriminals incentives to target an enterprise by initially infiltrating a supply chain partner.

To get an understanding of the CSF in 4 minutes check out the video.

So there you have it. These tips may assist you on your journey. Let us know what you think in the comments below.

Download complete article

Leave a Comment

(ISC)² Gauteng Chapter