The risk of cyber-attack for all kinds of organizations and businesses has soared in recent years. Malware has spread like wildfire, botnets and cybercrime software tools are easily obtained, and phishing scams have grown increasingly sophisticated. In 2014, more than 2.8 million data records were breached every single day, according to the Breach Level Index.
It’s no coincidence that 2014 also saw the publication of a document called the Cybersecurity Framework, created by the National Institute of Standards and Technology (NIST). The NIST CSF was designed to bring together the brightest minds in cybersecurity and develop a common language and a practical set of best practices to combat the rising tide of cybercrime.
Adoption of this new gold-standard framework reached 30% within two years, according to Gartner, and it’s expected to rise to 50% by 2020. The NIST CSF is a great way to assess your security credentials, identify your risks, and establish effective strategies to tighten security, both internally and across the wider community. The framework has over 900 controls and can be a challenge to implement without a methodology and platform to assist both the initial rollout and the ongoing management reporting.
Reducing Complexity
There’s little doubt that the NIST CSF is effective, but it’s also a complex framework that needs to be tailored to meet an organization’s risk reduction goals. When Dimensional Research surveyed 300 IT and security professionals in the US, it found that 64% of respondents using the NIST CSF reported that they were not using all the recommended controls, just some of them.
Also, 83% of organizations with plans to implement in the coming year reported an intention to adopt some, rather than all, the CSF controls. Selective adoption can yield results, if done properly, and can be a great starting point for organizations with limited resources.
What’s required is a way to reduce the complexity and make the NIST CSF just a little more digestible for your organization. Below are some key concepts that can both simplify and accelerate your NIST CSF program.
How to Simplify Adoption
Step #1 – Align NIST Program with Business Objectives
Map your objectives to the NIST control families. For example, if your organization requires “availability” of systems as the top priority, then starting with “Contingency Planning” (CP) controls is going to better align your program with your business objectives.
Step #2 – Focus on Foundational “Primary Controls” First
Start with a subset of the control families selected and limit your initial custom framework control list to the vital “Primary Controls.” This will save “Control Enhancements” for later, when your NIST CSF program is more mature. Control enhancements include details beyond the base control, such as frequency of testing, automation, and extensive documentation of the process surrounding the control. While important, these control enhancements only matter if the base control is already in place.
Step #3 – Get the Low-Hanging Fruit by Implementing NIST SP 800-171
Select your base framework controls using an existing framework profile or selection such as the NIST SP 800-171, which covers more than 80% of the full NIST CSF but requires approximately 20% of the effort, significantly reducing the number of controls that need to be adopted. Similar to the 80/20 principle, this approach can greatly improve security with a fraction of the effort required to implement the full NIST CSF.
Step #4 – Balance the Five NIST CSF Phases
Distribute your effort equally across all five phases of the NIST CSF. Creating a balanced program.
If we follow the natural phases embodied with the NIST CSF, we can break the various stages down into smaller pieces that are easier to digest and implement.
- Identify the risks to your systems, data, and other assets. You must be able to effectively prioritize your focus, fully understand governance, and carry out accurate risk assessments.
- Protect your critical infrastructure by limiting access to assets, training employees, securing and validating data integrity, implementing protective procedures and systems, and scheduling regular maintenance.
- Detect cybersecurity events that could be attacks. This means flagging anomalies, monitoring traffic and modeling regular noise so you can accurately identify anything suspicious.
- Respond when an event is detected. You need a clear response plan with a communication protocol and a fixed timeline. Responses should be analyzed, mitigation efforts tested, and all lessons learned used to make structural process improvements.
- Recover your vital services and capabilities after an attack as quickly as possible, so the impact to your organization is reduced. Solid recovery plans should be bolstered by a constantly evolving approach informed by events and strong communication links with relevant internal and external parties.
- If you’re stronger in one phase, then focus your efforts on one of your weaker phases. Do this until your program becomes balanced across the five framework phases.
Suggestion #5 – Leverage the Entire Organization
Make NIST CSF adoption a team sport. Engage business units and other resources across your organization. Many of the framework’s controls can be assigned to business functions such as HR, finance, or IT. The security team doesn’t have to own every control.