What NIST’s Cybersecurity Framework is and why it matters

Practical advice to help you build a solid InfoSec plan

By Michelle Drolet, CEO, Towerwall

The risk of your business falling victim to cybercrime has never been higher. Despite a seemingly endless parade of high profile data breaches, ransomware attacks, and phishing scams, many organizations still lack the necessary defenses to identify, prevent, or recover from an attack. The trouble is that it has become increasingly easy for would-be attackers. Anyone can hire a botnet or buy off-the-shelf malware, complete with technical support. New mobile devices, along with the ever-expanding Internet of Things, offer a wide range of insecure access points.

Although 61% of CEOs are concerned about cybersecurity, only 37% have a cyber incident response plan in place, according to PwC research.

If you acknowledge the scale of the threat and want to act, you may wonder where to start. The National Institute of Standards and Technology (NIST) has compiled a document called the Cybersecurity Framework that’s just for you.

NIST’s Cybersecurity Framework Explained
The idea behind the Cybersecurity Framework is to encourage all kinds of organizations to pool their knowledge and work together. Originally envisioned by the U.S. government as a voluntary framework to keep critical infrastructure safe, these guidelines have since been adopted by a very wide range of different organizations from retail chains and banks to small businesses. It’s a comprehensive document that organizes best practices and security principles into a guide that’s constantly evolving to help you stay one step ahead of the cybercriminals.

“The NIST Cybersecurity Framework should be the cornerstone of your cybersecurity strategy,” says George Wrenn, CEO of CyberSaint. “It’s time to run cybersecurity as a business function with clear objectives and measures based on the gold standard national framework.”

Common standards for collaboration
At the heart of the Cybersecurity Framework is the idea of creating a common language. It should be easy for everyone to share their experiences, discuss new tactics, and sketch out new strategies. To that end, the framework offers a holistic set of reference points that are accessible enough for anyone to employ. Executives, IT departments, and InfoSec professionals can work together towards a common security goal.

One of the great things about NIST’s framework is that you can use it to take the temperature of your current cybersecurity efforts and immediately see if your strategy is healthy or if it needs some emergency treatment. The framework is a great base to help you establish new targets and identify areas that need improvement.

In just two years NIST’s Cybersecurity Framework reached 30% adoption and that’s set to grow to 50% by 2020, according to Gartner. The more organizations adopt the framework and share their successes and failures, the stronger the collective grows. Widespread adoption also sparks the creation of automated tools and processes.

Flexible approach you can measure
Because cybercriminals are constantly working on new avenues of attack, it’s vital to continually improve your defensive efforts. That’s why the constantly evolving framework takes a risk-based approach that’s focused on general principles.

The Framework Core addresses five functions: Identity, Protect, Detect, Respond, and Recover. This isn’t a list to tick off as you work through it, but rather a set of functions that should be continually and concurrently addressed for a healthy cybersecurity strategy.

There are four Framework Implementation Tiers that are designed to aid organizations in moving from general reactive responses to threats to a more risk-informed strategy. This involves careful consideration of probable threats, legal and regulatory requirements, organizational constraints, and business goals.

The incredibly useful Framework Profile enables companies to uncover the differences between their current approach and their target goals for security. Once fully configured, it can accommodate organizations goals for security balanced against their business needs and cost-effectiveness.

This is just a brief overview, but you can see that the framework is easily adaptable to any industry. It offers a real opportunity to gain a big picture of your cybersecurity efforts, work towards improving them, and assess your success as you go. The battle against cybercrime is more of a race. You can’t implement a set of security guidelines and be done, you need to be proactive and work with others to ensure you stay out in front and that’s exactly what NIST’s Cybersecurity Framework is all about.

About the Author
Michelle Drolet is CEO of Towerwall, a data security services provider in Framingham, MA with clients such as Becker College, Middlesex Savings Bank, and Smith & Wesson. She enjoys reseller partnerships with leading security vendors such as AlienVault, Sophos, Websense, Qualys, and others. She can be reached at [email protected] or online at www.towerwall.com.