The world’s leading cyber security guidance is getting its first major update since it was released nearly ten years ago. The National Institute of Standards and Technology (NIST) has used community feedback to update its widely used cyber-security framework to help benefit sectors beyond critical infrastructure.
As more critical infrastructure moved online, the White House recognized the need to establish a framework to help businesses protect digital infrastructure essential to the American public. Since its inception in 2014, the NIST Cybersecurity Framework (CSF) has been downloaded more than two million times by users across more than 185 countries and translated into at least nine languages
While the NIST CSF is fluid enough to fit the requirements of different industries, SecurityGate’s assessment tool remains flexible in navigating this framework and assessing where your business is on its cyber security journey.
A more mature approach
NIST has traditionally categorized security controls across five areas that cover the entire lifecycle of cybersecurity-related incidents: identify, protect, detect, respond, and recover. In the update, NIST has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cyber security strategy.
Governance is well needed; its addition indicates how the framework has grown from compliance to maturity with the introduction of implementing CMMI tiers. It’s one thing to put a control in place but another to put policies around it, manage it, log it, and ensure it is communicated throughout the organization.
In a compliance approach, organizations check off “yes” if they have a control or “no” if they don’t. However, many practitioners do not equate compliance with security. It’s not just about getting to the results but what you do with that information. For example, completing an assessment to a given standard like CSF can help you understand that you have 50 controls in place and another 50 that are not. But what does it mean for how well you are managing risk? What is the impact, and how much will the remaining controls cost? How do you approach a roadmap to improvement? What level of maturity is the baseline? With the introduction of CMMI levels, organizations can now design a path to improving over time based on the level of maturity the organization desires to achieve.
The remarkable thing about the NIST CSF standard is that you can choose a compliance approach or a maturity model. Some organizations just beginning their cyber security risk reduction journey can start with a compliance approach to quickly assess an environment to a shorter set of requirements to develop a baseline understanding of where they are and where they need to spend time taking a deeper dive next. Organizations that have taken multiple NIST assessments and have a program, leadership, and mandates in place can continue to use CSF to assess the level of their maturity in each control, accelerating through closing gaps and reducing risk.
This allows your organization to really measure the effectiveness of what’s in place and what they need to continue to fix and control. This transition from compliance to maturity can help satisfy security practitioners by providing a deeper look at the state of the organization’s cyber security.
If you are thinking about implementing NIST CSF or planning to upgrade to the new framework, we’re here to help. The SecurityGate Platform provides a common control language to systematically manage cyber security risk across sectors and between technical and nontechnical staff while allowing organizations to tailor the framework to meet their needs. Beyond the initial CSF framework’s core focus sectors, adoption in critical infrastructure like oil and gas, utilities, chemical, and manufacturing has become the standard for baselining and initial alignment.
Even if your sector is not regulated by NIST, client, and internal requirements increasingly drive organizations to take the assessment to avoid irrevocable outcomes due to potential hacks. Voluntarily taking the assessment is recommended to locate your cyber risks. SecurityGate makes it quick and easy, decreasing the time needed to perform a NIST CSF assessment from weeks to hours. Identify your current risk posture and then improve it, helping protect your business, partners, and our overall critical infrastructure industry.
Learn more about SecurityGate’s NIST CSF assessment tool here.
