Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting
A key challenge for cybersecurity professionals is communicating their organization’s cybersecurity successes and challenges to senior leadership, each of whom is likely to have varying degrees of technical understanding. However, finding a shared language—one that strikes a balance between ambiguity and complexity—is critical to an organization’s ability to form a unified understanding of its security maturity. Communicating without a shared language can result in frustration or, worst, a misrepresentation or misunderstanding of a critical cybersecurity challenge.
In this blog post I’ll discuss how the NIST Cybersecurity Framework’s (CSF) Framework Core can help you overcome the three hurdles of security maturity reporting. I’ll also demonstrate how the Axio360 Dashboard leverages the Framework Core to generate board-ready information graphics that enable cyber risk and security professionals to clearly communicate the security maturity of an organization.
Hurdle #1: Building a Shared Language
The first hurdle on our way to effective security maturity reporting is finding a shared language that enables unambiguous communication to technical and non-technical executives and board members. Thankfully, the CSF Framework Core1 offers a solution for framing these nuanced cybersecurity conversations.
According to NIST, “The Framework Core consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.2”
In more detail, these five functions are:
The 5 Functions of the NIST CSF Framework Core
Identify: Develop an organizational understanding to manage cybersecurity risk to the systems, people, assets, data, and capabilities.
Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.3
As you can see, the CSF Framework Core Functions are commonly understood verbs, and each has a clear call to action associated with it. Thus, the Functions can set the stage for operative-level communications. Security professionals can align the organization’s security maturity roadmaps, metrics, programs, and initiatives with each of the five Functions.
In Hurdle #3 we will discuss how Axio360 natively supports the CSF Functions in both the CSF and C2M2 (DOE Cybersecurity Capability Maturity Model) Dashboards.
Hurdle #2 – Facilitating Complex Cybersecurity Conversations
The second hurdle on our way to effective security maturity reporting is distilling complex, often multi-threaded, cybersecurity projects and initiatives.
Having established the CSF Framework Core as our common language, we can begin to communicate the successes and challenges of our cybersecurity programs through their respective Functions. A sampling of topics by CSF Function can be found in the below table.
As you can see, framing a cybersecurity discussion within the context of the CSF Functions provides context and clarity for every member of the board regardless of their technical knowledge.
Hurdle #3 Mapping Cybersecurity Assessment Findings to Cybersecurity Roadmaps
The third, and probably most important, communication hurdle is having the ability to correlate recent cybersecurity assessment findings to security investment requests. No amount of improvement in the communication of what or how of our cybersecurity program will compensate for our inability to communicate the why: Why a security investment is needed; why a project is on the roadmap; why one project requires priority over another.
CSF Functions are natively integrated into the Axio360 dashboard, so no matter if you are performing a CSF or C2M2 assessment, you have the ability to talk about the organization’s security maturity directly through the language of CSF.
Axio360 allows you to communicate workstreams, target profiles, mitigation projects, and security investments using the CSF Functions.
Bringing it all together: Connecting Security Maturity Reporting/Metrics and Cybersecurity Initiatives
Framing a conversation through the CSF Functions allows for easy correlations to be drawn, and understood, between the Functions. For example, it allows you to say, “We lack a capability to Identify all of our assets (ID.AM). While, we have robust applications and processes in place to Protect Access (PR.AC), those protections are only effective for our known assets. We are seeking a security investment to improve our ability to Identify organizational assets. Doing so will allow us to ensure that all assets are not only inventoried, but they have the appropriate controls in place to Protect access to them.”
Even better: The Axio360 platform does the work for you—correlating your organization’s security maturity roadmaps, metrics, programs, and initiatives, with each of the five Functions. This has the power to transform how you communicate to senior leadership. Using Axio360’s native integration with the CSF Functions, you now communicate a unified understanding of your organization’s cybersecurity posture.
1 (NIST, pp. 6-8)
2 (NIST, p. 3)
3 (NIST, 2018, pp. 9-8)
NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity Ver.1.1. National Institute of Standards and Technology.