As we all know, you can’t protect what you don’t know. Which is why putting a framework in place to assess cybersecurity risk is one way that organizations can prepare to be resilient to cyber attackers. Recently, the National Institute of Standards and Technology (NIST) released the latest version of its “Framework for Improving Critical Infrastructure Cybersecurity.” The new version, identified as 1.1, highlights the importance of using a framework as part of a risk assessment and adds controls on supply chain management and identity management.
Why does a framework matter? Well, let’s take a step back to 2012. This was a time before the Presidential Executive Order (EO) 13636 directed NIST to develop the framework. A time before countless workshops across the country at universities evaluated individual industry’s and organization’s approaches to risk management, before the Cybersecurity Enhancement Act of 2014 that reinforced NIST’s role and before the eagerly awaited Version 1.1 of a cross-industry framework to manage cybersecurity risk. The intervening six years have seen the NIST Cybersecurity Framework do exactly what it set out to do—provide a framework for institutions across all industries to better understand cybersecurity. Boardrooms use the NIST CSF to understand their organization’s existing controls. The framework enables leadership to discuss the areas for investment to identify their systems and risk, protect their systems, detect events, respond to incidents and recover from these incidents. During these discussions, the investment focus is often first on identification of systems or data and the risk, followed by investment in the response and recovery plans if/when an incident takes place.
Structuring board discussions to focus on cybersecurity risks is important for CISOs going forward, according to the latest Accenture Security report, 2018 State of Cyber Resilience. As C-suite executives and boards prepare their plans for a cyber-resilient business, they need help from a CISO who is both business adept and tech savvy. Using a framework can help, but how can organizations do more than simply highlight problems? Here are three suggestions:
Identify the risk environment. Use the framework to better understand the organization’s inherent risk, customizing it to identify important, unique risk factors. This opens up a strategic conversation and helps to align security, leadership and the board.
Align with regulatory expectations. Address specific industry priorities beyond what is covered in the NIST Cybersecurity Framework. For example, financial services firms implement governance and oversight, as well as third-party risk management into their security programs. Adding functions and controls can align the framework to regulatory expectations and offer a holistic view of risk.
Invest in key controls to enhance maturity. Focus funding to include a variety of risk assessment tools as part of the organization’s broader strategic planning. Identify areas where critical investments in controls or infrastructure will decrease the organization’s overall risk.
Bear in mind the framework is available to help, not hinder, security efforts—and, with the doubling of focused attacks in the last year alone, it could be a great way to help manage increasing risk.
Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals, and readers should seek advice specific to their organization’s needs, which may vary and require unique action.