The National Cybersecurity Framework from the National Institute of Standards and Technology (NIST) is getting a reboot.
What is it? Well, it’s officially known as The Framework for Improving Critical Infrastructure Cybersecurity, and it was first released in 2014 to provide a voluntary, flexible approach in “prioritizing investment and maximizing the impact of each dollar spent on cybersecurity.”
In layman’s terms, it’s a blueprint to help businesses effectively manage their cybersecurity risks.
Why does the update matter for you? It serves as further proof that effective cybersecurity plans are constantly evolving to protect critical infrastructure and manage cybersecurity-related risks. In this post, we’ll help you determine whether your own cybersecurity plan needs a refresh.
About the Cybersecurity Framework
Currently, 30% of small, medium, and large businesses across various sectors — including healthcare, finance, transportation and communications — are using the NIST Framework to:
- Manage cybersecurity risks in a prioritized, flexible, repeatable and cost-effective way.
- Share a common language to communicate about cybersecurity both inside and outside an organization.
- Move beyond a protect-only mindset to identify assets and risks and develop detection, response, and recovery plans customized to their business.
The framework is intended to guide individual organizations in different sectors in determining which activities are most important to assure critical operations and service delivery. Although its development was driven by a need to manage risk at companies critical to the nation’s infrastructure, the NIST framework has been implemented more widely by small and large, young and mature organizations as well.
It’s estimated as many as 50% of organizations in the U.S. will be employing the framework by 2020, according to the NIST. In fact, the framework is also in use internationally in the United Kingdom, Canada, Israel, and Malaysia.
The NIST Framework & You
As you may have discovered yourself, it’s not easy to change cybersecurity protocols and standards in an organization. It can be arduous work that takes months to complete and can involve hiring more personnel or addressing other budget demands to remain up to speed in a rapidly evolving environment. But, it’s one of those things where the real question is: can we afford not to do it?
The NIST framework’s customizable blueprint provides five focal points to help make implementing your cybersecurity plan a bit easier:
- Identify — develop an understanding of cybersecurity risks to systems, assets, data, and capabilities
- Protect — develop and implement safeguards to ensure delivery of critical infrastructure services
- Detect — enable timely discovery of cybersecurity events by developing and implementing activities to identify anomalies and events
- Respond — contain the impact with advance planning of action to take when a potential event is detected
- Recover — recover in a timely manner with plans for resilience and activities to restore capabilities and services already developed for implementation.
If you’re only addressing one of these areas, your cybersecurity plan needs an update!
Further, if only the IT department is working to enhance cybersecurity and they’re the only ones who are truly aware of real and potential threats, your plan isn’t doing all that it could be doing. A thorough cybersecurity plan will consider security requirements from the C-suite to individual operating units and even external stakeholders such as suppliers, services providers, and systems integrators.
Healthcare has the highest per record cost for lost or stolen sensitive data at $363/record. — IBM/Ponemon
Ultimately, your cybersecurity plan needs to be comprehensive to address the many moving pieces that have a role in addressing the need to Identify, Protect, Detect, Respond, and Recover.
Consider the following. Does your plan:
- Identify individual responsibilities related to cybersecurity along with chain of command?
- Address the need for ongoing training of all company employees?
- Outline the process for reporting possible events to support compliance with laws, regulations and industry standards?
- Implement control measures related to organizational asset and system access and the collection, disclosure, or use of personal information?
- Inform relevant third parties of the organization’s applicable privacy policies?
- Call for ongoing anomalous activity detection as well as continuous system and asset monitoring?
These prompts, derived from the framework, emphasize foundational components of an effective cybersecurity plan. If you answered “no,” to any of these, it’s time — you guessed it — to update your plan.
Only 38% of global organizations feel prepared to handle a sophisticated attack. Some 34% say they are not. — ISACA
The NIST framework also helps an organization gain a complete view of its current cybersecurity posture and gauge what would be involved in reaching a target status. Using prioritization and progress measurement tools, an organization can consider business drivers, risks, innovation, and cost-effectiveness to set objectives for where it wants to be as far as cybersecurity in the future.
If your cybersecurity plan is static, with little room to evolve as standards, guidelines, and practices do, you need an update. Being risk and threat aware isn’t enough — your organization’s cybersecurity plan needs to adapt.
The revised NIST framework is still only in draft form. Stakeholders are collaborating, following a May meeting, to incorporate suggested changes and address any comments related to the initial draft for a second release fall of 2017. The final version of Framework 1.1 is expected in 2018.
In the meantime, you might embrace the intention of the framework in reviewing your cybersecurity plan today. In establishing a cybersecurity program NIST suggests several important steps:
- Identify your business/mission objectives and priorities and particular business needs and risk tolerance. These will inform strategic decisions determining the scope of your cybersecurity improvements.
- Conduct a risk assessment to analyze the likelihood of an event and the potential impact an event would have on your organization.
- Determine, analyze, and prioritize gaps to enable cost-effective, targeted improvements supporting risk management.
- Seek to understand emerging risks and threats to gauge the likelihood of cybersecurity risks in your industry and for your particular organization.
This is where RedTeam Security can help.
We work with organizations of all sizes and across verticals to identify risks — to network, systems, or physical intrusions — analyze gaps and provide you with an action plan you can reasonably implement.
Plus, we don’t just tell you about the holes we find, we offer suggestions of how to plug those spots a bad actor might leverage (and our ideas are typically better than “sit around, wait and hope for the best”). Better still, we stick around long after our initial testing is complete to continually assess your improvements, and will provide retesting as needed to support your overall cybersecurity risk management. Get started by scheduling a time to chat with us today.