How Peers Are Putting the NIST Cybersecurity Framework to Work
The NIST Cybersecurity Framework (CSF) is used in different ways by different security professionals. In an ideal world, you’d address every issue raised by the framework, minimize every threat, and make every recommendation. But Graham Taylor, manager of tech enablement at HiveWatch, says companies can be hesitant to do all of it at once.
“When talking with people about their cybersecurity, they can be standoffish,” he says. There can be a big expense involved in discussing, researching, establishing, and funding the many things that go into good cybersecurity protocols.
“I encourage people to start with where they’re most comfortable,” Taylor adds. “There’s a bias to action for what they’re most familiar with. So, do the low-hanging fruit first. If you’ve already got multi-factor authentication, make that a little better.”
Taylor says that a variety of companies in the cybersecurity market have done the work of gathering up best practices and distilling them into easy-to-read dashboards that spell out how and why your company compares to others in your similar industry. The CSF provides upper-management guidance on asking the right questions, and the work of setting and monitoring protocols and constant improvement can be facilitated with other tools. Other approaches to risk management focus on exploring how bad actors develop and implement attacks to your cybersecurity, like MITRE’s Risk Matrix.
The CSF’s questions should also be asked regularly, Taylor says: “You want to check these cybersecurity policies you set at least annually. That takes time, but if your protocols are to tell Jim something, and he doesn’t work there anymore, you know you haven’t been adequately updating your policies.”
At BOK Financial, Chief Information Security and Privacy Officer Paul Tucker’s team uses a visual dashboard. The dashboard provider assesses BOK’s information and then provides a score based on a particular CSF Function.
The dashboard will “tell you where you might want to spend your money and resources to improve,” Tucker says.
Greg Gatzke at IT consultancy and managed services company ZAG Technical Services thinks checklists and dashboards aren’t the be-all, end-all, but they are helpful.
“Security is not a checklist, but a journey, a mindset,” Gatzke says. “But every journey can still use a checklist. It’s the first step in acknowledging you need to take the journey.”
Once an organization has asked the bigger questions from the framework, more detailed documents for cybersecurity-focused professionals (such as NIST’s SP 800-53, Revision 5 Crosswalk (Privacy Framework and Cybersecurity Framework) might provide a deeper dive into much higher levels of privacy and cybersecurity compliance.
“But ask yourself and your managers, ‘Do you really need this level of security?’” Gatzke says.
Brendan Howard is host of the monthly podcast Security Management Highlights from ASIS International. He has been working in publishing and multimedia for nearly 25 years.