By: Charles Owen-Jackson
June 20, 2020
What is the NIST cybersecurity framework, and why does it matter?
By: Charles Owen-Jackson
June 20, 2020
How alignment with the NIST cybersecurity framework can help protect your business
Barely a week goes by without a major cybersecurity incident making the headlines. But it’s the countless incidents targeting smaller businesses and individuals that tend to go unnoticed by the public at large.
For too long have businesses taken a primarily reactive approach to cybersecurity threats. A good example is the widespread assumption that conventional antivirus programs are enough to protect you and your organization. But, much like a vaccine, these solutions can only work if someone gets infected first.
It’s time for businesses of every size and across every industry to rethink how they approach cybersecurity. It’s not something which can simply be tacked on as an afterthought. Neither should people see it as a blocker to innovation or a necessary evil. Instead, it can become a core part of your value proposition; a driver of innovation that lets you grow your business and capitalize on new technologies without adding risk.
To make that happen, it’s important to understand that knowledge, and not technology itself, is the first line of defense. In other words, everyone in your organization needs to understand the risks and do their part to mitigate them.
How NIST sets the standards for good cybersecurity hygiene
In 2013, President Obama directed the National Institute of Science and Technology (NIST) to develop a cybersecurity framework that would be more relevant in today’s threat landscape. The first version was published in 2014.
Although voluntary, more than two thirds of US organizations consider the NIST cybersecurity framework the best practice to follow. It has also been translated into many other languages and has been widely adopted in several other countries, including Israel, Italy, and Japan.
Much like the cybersecurity landscape itself, the NIST framework is constantly evolving as it adapts to new demands. The current version, 1.1, was released in April 2018. As with previous iterations, it consists of standards, guidelines, and best practices to help organizations tackle cybersecurity risks proactively.
The framework consists of three key components:
The framework core outlines a set of best practices in a common language that’s easy to understand. This is critical, since cybersecurity is no longer exclusively the domain of the IT department. It’s everyone’s responsibility, and everyone has a role to play.
The framework implementation tiers provide context on how an organization manages risk. There are four tiers in total, with one being the lowest. Organizations on the first tier have yet to implement any of the cybersecurity management techniques outlined in the framework core.
The framework profiles refer to the alignment of an organization’s operational priorities with its cybersecurity protocols. These profiles help identify and prioritize opportunities for improvement. As such, they constantly evolve to adapt to the changing threat landscape.
The cornerstone of any future-proof cybersecurity strategy
Cybersecurity risks can quickly overwhelm any organization, particularly when it comes to adopting new technologies and innovating at scale. Without a cohesive strategy that everyone on the team is aware of and familiar with, every new application, device, account, or cloud service adds another potential entry point for attackers.
Naturally, every organization has different needs and priorities. The cyberthreat landscape is never the same between one business and the next. Yet building up a robust cybersecurity program from scratch is rarely a viable or cost-effective solution. Before long, the costs and timescales involved get to the point where cybersecurity becomes a barrier to growth.
The NIST cybersecurity framework exists to make sure that doesn’t happen. It’s an important asset for any cybersecurity practitioner, thanks to its adaptability and flexibility. The framework also helps bridge the gap between business and technology by making it easier for cybersecurity experts to communicate their programs across the organization. This helps overcome the widely held belief that businesspeople and cybersecurity teams don’t speak the same language.
Driving a culture change across the organization There’s undeniably a lot to learn, to achieve alignment with NIST. But the great thing about the framework is that it’s not aimed exclusively towards technologists. Instead, it’s a risk-based approach that corporate executives can immediately relate to. It also uses clear language to illustrate the challenges and solutions to less technical audiences. It’s built on the reality that cybersecurity is everyone’s responsibility. Considering that 93% of data breaches involve a social engineering attack, it couldn’t be clearer that everyone in the organization is a potential target, and everyone must be adequately trained to recognize the risks.
Achieving alignment with NIST is a long-term solution that drives a culture change throughout the organization – a privacy- and security-first corporate culture that fuels growth and reduces risk. Being one of the most widely recognized industry standards, it also creates a ripple effect across vendor portfolios and supply chains. In other words, compliance with the framework becomes an important selling point. Vendors and clients are far more likely to do business with a company which can demonstrate a good cybersecurity posture.
Another benefit of adopting the framework is that it puts organizations in a better position to adapt to new and future digital security and privacy regulations. While voluntary, the framework itself serves as the foundation for many new regulations mandated at a national or state level. For example, the new 23 NYCRR 500 regulation, which applies to all financial services companies in New York State, is entirely based on NIST’s framework.
Who should enroll in NIST training?
Cybercrime is a growing threat on every front, and everyone is a potential target. Enrolling in a NIST training program is an effective solution for anyone who wants to further their career in technology. Business leaders can also make it an integral part of employee onboarding and skills retention programs and, in doing so, boost the overall risk maturity of their organizations. This will, in turn, increase profitability by creating a culture of trust and safely opening up new avenues for innovation in an age of constant change.