Organizations can use the NIST Cybersecurity Framework, together with other information risk management tools, to build a robust cyber-resilient approach.
By Steve Durbin
Cyberspace is continuously evolving and presenting new opportunities. However, it also brings unexpected risks and inadvertent consequences that can have a negative impact on an organization, whether it is a Fortune 500 business or a mom and pop shop. With cyberspace so critical to every business function, from supply chain management to customer engagement, organizations need to be vigilant when it comes to cyber risks.
Understanding cyber risks is fundamental to being a trusted business. If organizations can’t maintain a trusted environment in which to communicate and interact with customers, their business could suffer or even collapse. These organizations are more likely to suffer embarrassing security incidents, as we’ve seen recently with data breaches at Target, Neiman Marcus and Home Depot, to name a few prominent examples.
Establishing your cybersecurity alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach, and it no longer provides the required protection. Organizations must extend risk management to include risk resilience in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cyber resilience recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated cyberthreats. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyberattacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable cyberattack.
Understanding the NIST Cybersecurity Framework
As cybersecurity increasingly becomes a national security issue, governments are taking a more active role in defining responses to cyberthreats. In an initiative to response to an executive order issued by President Obama, the U.S. National Institute of Standards and Technology (NIST) has released the first version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity.
The NIST Cybersecurity Framework comprises five functions of cybersecurity activity, with a strong focus on incident response. These functions are further divided into categories, which correspond to various domains of information security, and subcategories, which express various outcomes or control objectives within these domains. As a consequence, business executives are now asking, “Does our information security program align with the NIST Cybersecurity Framework?”
At the Information Security Forum (ISF), we recently created a mapping between the NIST Cybersecurity Framework and our Standard of Good Practice for Information Security (which we call "The Standard"), a respected resource that is already implemented by many global organizations. Now, our members can use the mapping to determine which of their current controls satisfy the corresponding control objectives in the NIST Cybersecurity Framework and thus demonstrate their alignment with it. The Standard extends well beyond the topics defined in the NIST framework to include coverage of essential and emerging topics such as information security governance, supply chain management, data privacy, cloud security, and mobile device security.
Although the NIST Cybersecurity Framework is voluntary, and intended as guidance rather than a formal standard, one of its development goals is to provide security practitioners with a common language for cybersecurity. This common language makes use of familiar topics in information security and clearly expressed control objectives within those topics. Using the NIST Cybersecurity Framework, together with The Standard and other information risk management tools, will enable organizations of all sizes to effectively demonstrate to your stakeholders the progress you have made in building a robust cyber-resilience approach. (To read an explanatory CIO Insight slideshow about the NIST framework, click here.)
Applying the NIST Cybersecurity Framework
In terms of how best to apply the NIST Cybersecurity Framework to an organization, it starts with assessing the business impact of any potential data breach or loss and then examining the realistic threats and vulnerabilities that might impact your business. It’s quite clear that cyberattacks are becoming more state-of-the-art and sophisticated. Unfortunately, while organizations develop new security mechanisms, cybercriminals are cultivating new techniques to sidestep them. Cyber risk is an ever-growing concern for businesses around the world, as data breaches at major retailers make headlines with increasing frequency and the mounting financial and reputational costs.
The NIST Cybersecurity Framework, as with other widely available risk assessment methodologies, provides a step-through guide and provides references to standards or best practices. For some organizations, a well-defined risk assessment approach may already exist. ISF members, who include leading corporations worldwide, along with a number of government agencies, have long been able to make use of The Standard and other risk assessment tools to identify, protect, detect, respond, and recover.
But what is increasingly important is that all organizations, irrespective of size, have access to an easy-to-use framework and guideline set that can be applied across vertical sectors to build-in increased resilience to cyberattacks, and can adopt ways of collaborating in cyberspace in an effective and managed fashion. The combination of the NIST Cybersecurity Framework and other information risk management resources, like The Standard, can provide organizations with such guidelines.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "Three Things CIOs Should Know About Cyber-Security," click here.
This article was originally published on 10-08-2014