Imagine you're hosting a dinner party for friends. You go to the grocery store and buy the ingredients you need, but forget a crucial step: checking the expiration date. You mess up the recipe and end up cooking with expired vegetables and meat that's long past its expiration date. You take one bite, realize your mistake, and have to consider the dish, and the time and money you spent on it, a complete waste. While it's not a dinner party, our digital systems could suffer a similar tragic fate if we don't properly develop, implement, and manage our cybersecurity strategy.
Think of cybersecurity practices and processes like a recipe. One mistake, like not inspecting a compromised vendor's software, is like mixing rotten ingredients. But instead of tossing it in the trash, you have to deal with the much more serious and costly consequences of a potential breach or attack. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 is designed to help companies of all sizes and industries avoid these miscalculations. So what do companies need to know about NIST CSF 2.0 before they step into the metaphorical kitchen?
First, businesses need to understand the context behind the CSF. In 2014, NIST released its first Cybersecurity Framework and four years later released version 1.1, which aims to provide an easy-to-understand guide for organizations to begin or strengthen their cybersecurity risk management strategy. Until recently, the CSF model included five interdependent functions: identify, protect, detect, respond, and recover. With threats constantly evolving, including attacks through third parties such as vendors, NIST recognized that organizations needed a new framework that refined and expanded cybersecurity best practices.
CSF 2.0 includes a sixth function, Governance, which “highlights that cybersecurity is a major source of enterprise risk,” similar to finance and reputation. In other words, companies need to view cybersecurity as a critical business function. The framework emphasizes that organizations should appoint a person or team to oversee and manage cybersecurity practices, preferably supported by trained cybersecurity professionals.
Take for example the expanded subsection dedicated to supply chain: The past few years have seen a surge in third-party breaches, affecting small, medium and large enterprises. The governance function is focused on helping companies put in place “systematic processes to manage exposure to cybersecurity risks across their supply chains.” [develop] The right response strategies, policies, processes and procedures. Proper due diligence allows companies to develop and manage third-party relationships with greater confidence.
Despite the added capabilities in CSF 2.0, the intent behind the framework remains the same. As NIST stated, “These capabilities are not intended to form a sequential path or achieve static objectives,” but instead “should be performed simultaneously and continuously to form an operational culture that addresses dynamic security risks.”
The CSF is not a rigid recipe, nor is it advertised as such. Ingredients (i.e. best practices) can be omitted or substituted. If you don't want ground beef in your dish, substitute a vegetarian alternative. Companies do not have to enforce the framework's protocols rigidly or overnight; it is a gradual process.
Ultimately, CSF 2.0 is a starting point. Organizations should gather, align, and implement best practices from the framework that address their vulnerabilities and align with their risk tolerance, operational requirements, and priorities. Using CSF 2.0 to continuously improve their cybersecurity posture will enable businesses to better manage risk and become more resilient.
Chris Wright: Sullivan Light Technologiesis an Arkansas-based company that provides customized cybersecurity, IT and security compliance services. Opinions expressed are those of the author.
