As you can see, the CSF Framework Core Functions are commonly understood verbs, and each has a clear call to action associated with it. Thus, the Functions can set the stage for operative-level communications. Security professionals can align the organization’s security maturity roadmaps, metrics, programs, and initiatives with each of the five Functions.
In Hurdle #3 we will discuss how Axio360 natively supports the CSF Functions in both the CSF and C2M2 (DOE Cybersecurity Capability Maturity Model) Dashboards.
Hurdle #2 – Facilitating Complex Cybersecurity Conversations
The second hurdle on our way to effective security maturity reporting is distilling complex, often multi-threaded, cybersecurity projects and initiatives.
Having established the CSF Framework Core as our common language, we can begin to communicate the successes and challenges of our cybersecurity programs through their respective Functions. A sampling of topics by CSF Function can be found in the below table.
As you can see, framing a cybersecurity discussion within the context of the CSF Functions provides context and clarity for every member of the board regardless of their technical knowledge.
Hurdle #3 Mapping Cybersecurity Assessment Findings to Cybersecurity Roadmaps
The third, and probably most important, communication hurdle is having the ability to correlate recent cybersecurity assessment findings to security investment requests. No amount of improvement in the communication of what or how of our cybersecurity program will compensate for our inability to communicate the why: Why a security investment is needed; why a project is on the roadmap; why one project requires priority over another.
CSF Functions are natively integrated into the Axio360 dashboard, so no matter if you are performing a CSF or C2M2 assessment, you have the ability to talk about the organization’s security maturity directly through the language of CSF.
Axio360 allows you to communicate workstreams, target profiles, mitigation projects, and security investments using the CSF Functions.
Bringing it all together: Connecting Security Maturity Reporting/Metrics and Cybersecurity Initiatives
Framing a conversation through the CSF Functions allows for easy correlations to be drawn, and understood, between the Functions. For example, it allows you to say, “We lack a capability to Identify all of our assets (ID.AM). While, we have robust applications and processes in place to Protect Access (PR.AC), those protections are only effective for our known assets. We are seeking a security investment to improve our ability to Identify organizational assets. Doing so will allow us to ensure that all assets are not only inventoried, but they have the appropriate controls in place to Protect access to them.”
Even better: The Axio360 platform does the work for you—correlating your organization’s security maturity roadmaps, metrics, programs, and initiatives, with each of the five Functions. This has the power to transform how you communicate to senior leadership. Using Axio360’s native integration with the CSF Functions, you now communicate a unified understanding of your organization’s cybersecurity posture.
1 (NIST, pp. 6-8)
2 (NIST, p. 3)
3 (NIST, 2018, pp. 9-8)
NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity Ver.1.1. National Institute of Standards and Technology.