INTRODUCTION

“50% of American organizations are expected to have implemented the NIST CSF by 2020.” – Gartner IT research and NIST.

The NIST Cybersecurity Frameworks gives organisations a five-point core structure to improve the cybersecurity posturing. Whilst it does not mandate requirements however, it is considered best practice that has been widely used globally for years now. The framework designs to provide organisations with powerful ways to governs their cybersecurity strategy. By implementing the NIST Cybersecurity Framework, organisations can evaluate their exposure as well as cybersecurity measures and take preliminary action to decrease risk.

In this article, we will take a closer look at what NIST entails and how the five functions react to enhance cybersecurity for an organisation.

The five points position as the basics of a successful and holistic cybersecurity framework that guide organisations in building a high-level cybersecurity risk management strategy. The five cores consist of the following functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The five core elements of the NIST framework all work together among each other. They are the foundation role that supports all other elements in order to build highly effective risk management.

THE FRAMEWORK

The NIST Cybersecurity framework will guide an organisation to better understand, manage and reduce the possible cybersecurity risks. It also acts as an assistant in defining the activities that are crucial to assure the critical operations and service delivery. Moreover, the structure of the framework will allow the organisation to prioritize the investment allocation to assure every single budget spend optimally. On top of that, the framework also provides every member of the organisation with a common language to address cybersecurity risk management. It helps improving communication within the organisation and outside the organisation. The improvement that the framework provides includes clearer communication, awareness and mutual understanding among all units involved in the work scope. Also, the framework can also be used to share cybersecurity expectation between a buyer or supplier.

Furthermore, the framework can be used by organisations that already have extensive cybersecurity programs. Same applied to those who just begin thinking about putting cybersecurity management programs in place. The approach applicable for every organisation even the application may differ depending on your current state and priorities.

Organisations are using the framework in multiple ways nowadays. The most common practice in the industry is to use it as an aid to raise awareness and be the communication bridge with stakeholders within the organisation and this includes executive leadership. Apart from that, the framework also works as a guideline by mapping the current organisation management approaches to match up to the framework’s standards, guidelines and best practices. Some of them also use the framework as a case reference to reconcile and solve the internal policy legislation conflict, regulations as well as assess risks to current practices.

TIERS

Framework implementation ‘tiers’ provide context on how an organisation interpret cybersecurity risk and the processes in place to manage risk. Tiers used to define the degree of an organisation’s cybersecurity risk management practices that reveal similar characteristics as stated in the Framework. The ‘tiers’ illustrate an organisation practice by range (from tier 1 to tier 4). The tiers then replicate a development from informal to reactive responses to approaches that are agile and risk-informed.

In conclusion, the developed framework tend to provide guidance that is relevant for the organisation as a whole. The value of the implementation will not be realised if only the IT department uses it. The framework functions as a comprehensive due diligent check on risk management with one language that is adaptable to the audience. Additionally, the function, category and subcategory levels of the framework correspondent well to the organisation’s mission, business intelligence, IT and operational technology system level in one place. This drives the team towards an accurate and meaningful communication holistically across the organisation by having a mutual understanding from each party.

If you have any inquiries regarding the NIST Cybersecurity Framework, please feel free to contact us via our chat or info@cybiant.com.