Managed service providers (MSPs), chief information security officers (CISOs), and IT professionals have long relied on the National Institute of Standards and Technology (NIST) for roadmaps and best practices in cybersecurity. Since the original NIST framework was first released in 2013, a refresh was much needed.
“NIST was getting a little long in the tooth,” expressed Simon George, an independent cybersecurity specialist in Los Angeles. “NIST has largely been the roadmap for critical infrastructure. The upgrade expands NIST’s purview to include all verticals, not just critical ones. With this update, the local grocer or elementary school will find these as valuable as the nuclear plant.”
He also shared, “This update has provided specifics and much more guidance across many more verticals.”
NIST guidance has become more holistic overall. The draft of the updated NIST was published back on August 8, which you can read here.
Perhaps the most significant change is the addition of another “pillar” to the NIST mission. NIST built its framework around five key components: identify, protect, detect, respond, and recover. Now they have added a sixth, which is the “govern” function.
According to NIST, this: “Covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk. It is ranking alongside legal, financial, and other risks as considerations for senior leadership.”
George stated that the latest pillar is an essential addition because it provides a framework for consistency in cybersecurity.
Establishing framework
The govern pillar establishes a framework for:
- Establishing and maintaining a cybersecurity risk management framework. “What NIST is trying to do here is ensure that entities are implementing appropriate measures to manage those risks,” said George, adding that all entities – with the help of MSPs – need to establish a continuous process for monitoring and reviewing the effectiveness of the risk management framework.
- We are developing and implementing cybersecurity policies, procedures, and processes. “Cybersecurity needs to be part of any organization’s overall risk management strategy. It is no different than a retailer having processes and procedures to combat shoplifting. Cybersecurity needs to be treated as such a risk, and too many organizations still lag, but the refreshed NIST should help drive the point home,” George explains.
- It is measuring and evaluating cybersecurity performance. This includes establishing metrics for measuring cybersecurity performance. “Too many organizations and, frankly, MSPs will put in protocols and protections and feel like they are done, but there needs to be constant evaluation to see how the processes are working,” George reports.
Empowering cybersecurity governance
Experts agree that the “govern” addition is crucial for a holistic cybersecurity strategy.
“It’s a big step. The addition of governance reflects the growing recognition that cybersecurity is a major source of enterprise risk and needs to be managed as such,” George says. He added that the new pillar provides organizations with a roadmap for establishing and maintaining a comprehensive cybersecurity governance program. This helps them mitigate risks, protect assets, and respond to incidents.
“What I like about it is that it can help organizations to improve their communication about cybersecurity risks and controls,” George asserted, adding that it can also help organizations to measure and evaluate their cybersecurity performance. There is also a growing batch of cybersecurity regulations and standards that everyone must comply with at the NIST standards, making navigating that easier.
“Overall, the “govern” pillar of the NIST Cybersecurity Framework (CSF) is a valuable tool for organizations looking to improve their cybersecurity posture,” he said.
The NIST update should help govern the current cybersecurity environment. It should also help it to be breathable and organic enough to evolve with cybersecurity needs over the years ahead.
In a press release, the NIST framework lead author said the following:
“With this update, we are trying to reflect current usage of the Cybersecurity Framework. We want to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere, from schools and small businesses to local and foreign governments. We want to ensure that it is useful to all sectors, not just those designated as critical.”
Photo: A9 STUDIO / Shutterstock