Making Sense of the NIST CSF
Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret!
The Framework for Improving Critical Infrastructure Cybersecurity (aka the NIST Cybersecurity Framework, aka the NIST CSF) offers security organizations a framework to build, manage, and measure their cybersecurity programs.
However, when reading the document, it can feel like the actual framework is a secret—much like Dr. Strangelove’s doomsday device. I don’t actually believe the framework is a secret, but there is a certain level of decoding that organizations need to do to understand how to apply the CSF.
But before I dig into how, let’s look at why the NIST CSF is even worth decoding in the first place. After all, your time is finite. Is it worth the effort to understand the CSF as a framework for your cybersecurity program? We think that it is.
As we’ve written previously, the NIST CSF can help security professionals overcome the three hurdles of security maturity reporting. These are: building a shared language with executives and the board of directors, facilitating complex cybersecurity conversations, and mapping cybersecurity assessment findings to cybersecurity roadmaps. It’s critical that security organizations overcome these challenges because boards and executives are becoming increasingly interested in cybersecurity planning and strategy. Once you have the Board’s attention, you need to present a cybersecurity assessment they’ll actually care about. That’s where the NIST CSF fits in.
OK, so let’s dig in. The NIST CSF is structured into four core elements:
- Five Functions
- Twenty-two Categories
- Ninety-eight Subcategories
- Numerous Informative References
The Functions and Categories are generally a grouping methodology. The Subcategories are described by NIST as “specific outcomes of technical and/or management activities.” It is excellent to know what outcomes an organization should look for from a cybersecurity program. However, if the desired outcome for a Subcategory is not being achieved, what activities should an organization start to perform or enhance to achieve that outcome? This information isn’t spelled out in the NIST CSF document. You need to dig into the Informative References.
The Informative References section includes references to a number of standards, guidelines, and practices, including the Center for Internet Security Critical Security Controls, COBIT, ISO 27001, and NIST SP 800-53. These resources are great tools that organizations can use while determining the cybersecurity controls and activities that will be the most beneficial to the organization’s cybersecurity posture. For example, NIST SP 800-53 contains over 700 cybersecurity controls and control enhancements that can be leveraged to meet the outcomes included in the NIST CSF Subcategories. That alone can be overwhelming—if you go it alone.
In order to assist organizations, build, manage, and measure their cybersecurity programs with the NIST CSF, we have created the NIST CSF Edition on the Axio360 platform. The Axio360 platform enables organizations to evaluate their cybersecurity programs using the NIST CSF (as well as the Cybersecurity Capability Maturity Model (C2M2)). The NIST CSF Edition of the Axio360 platform contains direct linkage to the NIST SP 800-53 controls that correlate with the NIST CSF Subcategories, which allows users to quickly and easily dive deeper into areas and controls where additional information is required. Users are then able to use the Axio360 platform to create Action Items and Targets to which the organization can manage.
These resources on the Axio360 platform ensure that organizations are driving towards cybersecurity industry best practices and have the means to measure themselves against targets they can set for themselves.
By providing a framework for assessing and communicating the organization’s cybersecurity posture, the NIST CSF accomplishes several very important objectives. However, there is a gap when organizations look for guidance on shoring up their weaknesses. This is where the Axio360 platform comes into play. And we’d love to show you how.
Understand your cyber risk exposure as it relates to the business and in financial terms.
Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.
Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.
Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.
Maintain the resources and financial ability to recover from a meaningful event.
At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.
Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?
Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”