The National Cybersecurity Framework from the National Institute of Standards and Technology (NIST) is getting a reboot.
What is it? Well, it's officially known as The Framework for Improving Critical Infrastructure Cybersecurity, and it was first released in 2014 to provide a voluntary, flexible approach in "prioritizing investment and maximizing the impact of each dollar spent on cybersecurity."
In layman's terms, it's a blueprint to help businesses effectively manage their cybersecurity risks.
Why does the update matter for you? It serves as further proof that effective cybersecurity plans are constantly evolving to protect critical infrastructure and manage cybersecurity-related risks. In this post, we'll help you determine whether your own cybersecurity plan needs a refresh.
Currently, 30% of small, medium, and large businesses across various sectors - including healthcare, finance, transportation and communications - are using the NIST Framework to:
The framework is intended to guide individual organizations in different sectors in determining which activities are most important to assure critical operations and service delivery. Although its development was driven by a need to manage risk at companies critical to the nation's infrastructure, the NIST framework has been implemented more widely by small and large, young and mature organizations as well.
It's estimated as many as 50% of organizations in the U.S. will be employing the framework by 2020, according to the NIST. In fact, the framework is also in use internationally in the United Kingdom, Canada, Israel, and Malaysia.
As you may have discovered yourself, it's not easy to change cybersecurity protocols and standards in an organization. It can be arduous work that takes months to complete and can involve hiring more personnel or addressing other budget demands to remain up to speed in a rapidly evolving environment. But, it's one of those things where the real question is: can we afford not to do it?
The NIST framework's customizable blueprint provides five focal points to help make implementing your cybersecurity plan a bit easier:
If you're only addressing one of these areas, your cybersecurity plan needs an update!
Further, if only the IT department is working to enhance cybersecurity and they're the only ones who are truly aware of real and potential threats, your plan isn't doing all that it could be doing. A thorough cybersecurity plan will consider security requirements from the C-suite to individual operating units and even external stakeholders such as suppliers, services providers, and systems integrators.
Healthcare has the highest per-record cost for lost or stolen sensitive data at $363/record. - IBM/Ponemon
Ultimately, your cybersecurity plan needs to be comprehensive to address the many moving pieces that have a role in addressing the need to Identify, Protect, Detect, Respond, and Recover.
Consider the following. Does your plan:
These prompts, derived from the framework, emphasize foundational components of an effective cybersecurity plan. If you answered "no," to any of these, it's time - you guessed it - to update your plan.
Only 38% of global organizations feel prepared to handle a sophisticated attack. Some 34% say they are not. - ISACA
The NIST framework also helps an organization gain a complete view of its current cybersecurity posture and gauge what would be involved in reaching a target status. Using prioritization and progress measurement tools, an organization can consider business drivers, risks, innovation, and cost-effectiveness to set objectives for where it wants to be as far as cybersecurity in the future.
If your cybersecurity plan is static, with little room to evolve as standards, guidelines, and practices do, you need an update. Being risk and threat aware isn't enough - your organization's cybersecurity plan needs to adapt.
The revised NIST framework is still only in draft form. Stakeholders are collaborating, following a May meeting, to incorporate suggested changes and address any comments related to the initial draft for a second release fall of 2017. The final version of Framework 1.1 is expected in 2018.
In the meantime, you might embrace the intention of the framework in reviewing your cybersecurity plan today. In establishing a cybersecurity program NIST suggests several important steps:
This is where RedTeam Security can help.
We work with organizations of all sizes and across verticals to identify risks - to network, systems, or physical intrusions - analyze gaps and provide you with an action plan you can reasonably implement.
Plus, we don't just tell you about the holes we find, we offer suggestions of how to plug those spots a bad actor might leverage (and our ideas are typically better than "sit around, wait and hope for the best"). Better still, we stick around long after our initial testing is complete to continually assess your improvements, and will provide retesting as needed to support your overall cybersecurity risk management. Get started by scheduling a time to chat with us today.