Developed for a decade by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework guides how technology and security teams should respond to cyber incidents, especially attacks targeting critical infrastructure. has established itself as one of the gold standards for
However, over the past decade, attacker tactics and techniques have changed, and a whole new set of threats has emerged that targets businesses and government agencies beyond what is considered critical infrastructure. In response to these changes, NIST worked to improve the framework. After two years of work, the agency has released the updated Cybersecurity Framework 2.0 (CSF 2.0), which includes new best practices and recommendations for technology and security professionals.
Although originally designed for critical infrastructure, the 2.0 version of the framework is intended to work with nearly any organization, regardless of size or market segment. It also incorporates and supports the Biden administration's National Cybersecurity Strategy announced in July 2023.
“Building on previous versions, CSF 2.0 is more than just one document. It can be customized over time as an organization's cybersecurity needs change and its capabilities evolve. It's about a set of resources that can be used together or combined,” said Laurie E. LoCascio, Under Secretary of Commerce for Standards and Technology and Director of NIST, in a February speech. announcement.
For technology and security professionals, the Cybersecurity Framework 2.0 version offers multiple ways to improve your skill set by learning more about the framework. Understanding these basics provides technology professionals with an opportunity to improve the security posture of their entire organization and prepare them for career advancement.
“NIST CSF 2.0 expands beyond critical infrastructure guidelines and highlights the fact that it targets any critical enterprise. It provides tools to a broader audience,” said Menlo Security. Andrew Harding, vice president of security strategy, told Dice.
“The new framework and implementation guidelines will help teams think at a higher level than the latest alert. This will enable teams to discuss risk management and alarms,” Harding added. . “This is especially true for teams that are focused on a single area and need to consider or collaborate with networks, endpoints, and browsers.”
Governance becomes more important
One of the most important aspects of the original cybersecurity framework is that it includes five core capabilities that help address cyber threats and ultimately enable organizations to respond to them. Identify, protect, detect, respond and recover.
The 2.0 version adds the term “governance” to these core features. A focus on governance (or governance) is intended to help organizations take a more holistic view of cybersecurity. CSF 2.0 shows how threats impact not only your IT infrastructure and data, but your entire business, especially financial and reputational risks.
Cybersecurity experts noted that the addition of governance core functionality is a fundamental change within the framework. This is also an issue that technology and security professionals need to brush up on to better understand the changes introduced by NIST.
“In recent years, increased awareness of the risks that cyber incidents pose to organizations has pushed cyber to the forefront of business priorities,” said John Allen, Vice President of Cyber Risk and Compliance at Darktrace. ” he said.
There are two sides to risk when it comes to cyber incidents. One is the likelihood of an incident occurring, and the other is the impact if it does occur, both of which are increasing, Allen added.
“Therefore, the governance function supports the inclusion of cybersecurity risks in broader organizational risk communications and the integration of cybersecurity risk management into broader enterprise risk management programs. The feature is a welcome and necessary addition,” Allen told Dice. “As the threat landscape evolves, new governance capabilities will be essential if organizations are to better manage the changing risks facing their businesses.”
Other experts believe that governance, or the addition of governance, not only changes the way IT and security teams interact, but also the way the entire organization interacts. This requires new approaches, including learning business functions and improving communication skills.
“The addition of 'governance' capabilities to NIST CSF 2.0 will help align cybersecurity efforts with the organization's mission, the expectations of various stakeholders, the laws that influence decisions related to managing cybersecurity risks, and the There will be a greater emphasis on alignment with regulatory and contractual requirements. ” Jordan Tanks, Cyber Security Solutions Manager at Passlock, told Dice. “This involves identifying and communicating key objectives by stakeholders and ensuring that cybersecurity best practices are communicated from the lowest security teams all the way through the organization to high-level business decisions. This includes identifying capabilities and outcomes to drive all the way down to the management team.”
“A focus on governance means security organizations need technical experts who are familiar with subject matter like risk management, asset management, and the technical nuances of emerging technologies,” said Chad Graham, CIRT manager at Critical Start. It also means.”
“The team has deepened its understanding of governance frameworks, strengthened its technical skills for securing diverse platforms, and expanded its scope to reflect the evolution of frameworks to address the complexities of the modern cybersecurity environment. We need to develop a robust incident response capability that covers multiple scenarios,” Graham told Dice.
A new approach to cybersecurity
The CSF 2.0 document also includes many other improvements and advice that organizations can deploy to strengthen their cyber defenses. These include:
-
A series of quick-start guides to address cyber issues and threats that organizations, including enterprises and small and medium-sized businesses (SMBs), can deploy on an as-needed basis.
-
Focuses on strategies for addressing and better managing security issues and deficiencies within the supply chain.
-
Several new reference guides that allow technology and security professionals to reference other NIST documents. It also provides tips and suggestions on how to communicate cyber issues and risks throughout the organization, including executive decision makers.
All of these CSF updates have their own importance, but before adopting these basics, technology professionals should first assess their organization's cyber defenses, posture, and risks, say Qualys Threat Research Unit's said Ken Dunham, Director of Cyber Threats.
“The implementation of NIST CSF 2.0 will require a personal review of the changes to the framework and how it will impact the organization within various business units and processes, such as audit, SecOps, and risk and compliance teams. “This is best done through a thorough business assessment and how best to implement the change. We are looking at when and how to manage the adoption of version 2.0,” Dunham told Dice. “This change management roadmap will address any linked dependencies or mappings with other frameworks that may be affected as an enterprise moves to version 2.0, as well as any compliance linked to existing controls. Governance also needs to be addressed.”
Menlo Security's Harding also noted the importance of conducting a security assessment to implement the new NIST framework.
“Teams should assess unaddressed gaps in their current systems and controls and strive to extend defense-in-depth to the last mile, even for hybrid work and unmanaged devices. CSF 2.0 is an important tool that requires teams to think about operating monitoring systems and performing analysis and response, as well as evaluating defenses and approaches that allow them to work more efficiently, especially from a browser security perspective. There is also.” Understood.
However, other experts believe that most organizations already have the necessary skill sets in place. The difference is how best to deal with more advanced threats, such as those within the supply chain.
“Many of the additions to CSF 2.0 were skills that security teams were already looking for or using, so there will likely be few significant changes to the skill sets that organizations are looking for in their cybersecurity team members,” DoControl said. said Richard Avilles, Senior Solutions Architect. . “The biggest change is that tighter oversight of supply chain threats has become more of a focus for organizations seeking to adopt or follow CSF. If you think about it, it's likely that organizations were already looking at this area.”