The NIST Cybersecurity Framework (CSF) provides a policy structure of computer security guidance to help private sector organizations in the United States assess and improve their ability to prevent, detect, and respond to cyber attacks.
So, you're an up-and-coming security leader tasked to set up a security framework that complies with NIST’s framework. Where do you begin?
First things first: get buy-in from top-level leadership and keep them engaged. “Develop and maintain relationships with senior managers and middle management,” advises Mark E.S. Bernard, an international cybersecurity consultant and senior security architect at Secure Knowledge Management, an IT security consultancy. “Maybe identify a sponsor for your cybersecurity project. Learn as much as you can about senior managers’ concerns. If you can help them address these issues so the board can stop asking them when will it be completed, you will begin to develop a sponsor or champion.”
Barnard suggests following these steps:
- As mentioned, secure top-level buy-in.
- Identify short-term quick wins; build upon them.
- Avoid appearing risk-averse with an aggressive approach; instead, find a solution and develop their confidence.
- Create a vision and strategic plan to build a framework and share it with them; it will help gain their confidence.
- Develop building blocks of your framework. These are the elements of design: assets in scope, risk assessment, governance committee, incident handling, post-breach risk containment and recovery plan, support of middle management and subject matter experts, communication skills, terms of reference for the governance committee, risk management policy, risk appetite, playbooks for all the most common threats and vulnerabilities, and a vulnerability management process.
First things first: get buy-in from top-level leadership and keep them engaged.
A practical approach is critical. Having keen cybersecurity skills and certifications is also important. However, being savvy with key business skills and practices is just as crucial.
“The cybersecurity field is booming, and the gap between the supply of qualified professionals and the demand for their skills has grown exponentially,” notes Mark Thomas, president of eScoute Consulting, an IT consultancy. “Gaining certificates or certifications in the areas you are interested in is invaluable; but I also recommend some core leadership and management training in the areas of business analysis, process management, risk management, service management, and project management. One of the challenges leaders are having today in the cybersecurity space is that they are very keen to the technical details of cybersecurity controls, but have not honed their skills in the deployment and management of those controls.”
More specifically, Thomas emphasizes a few key areas of focus. These critical resources, he believes, are paramount:
- People skills and competencies
- Services, infrastructure, and applications
Framework Implementation: An Easy Endeavor?
It’s never easy. But it’s manageable with patience and careful pacing. “It’s not easy because NIST CSF drives the demand for mature security programs higher than most commercial enterprises are ready for,” says Barnard. “If you are in government, that adoption is not an option. The NIST CSF can be used to create policies, but policies should be based on a risk assessment, not a boilerplate installation or gap assessment. Less is more when it comes to policy; too much policy, and it will become shelfware.”
Ease of implementation is often a function of the corporate culture. Thomas says organizational culture is “architecture”: things like information, process, and technology, as well as organizational structures and people. He explains that the greatest challenges are three-fold:
- The ability to gain appropriate business support (although he sees this improving).
- A belief that there’s a concrete beginning and end to an implementation. Implementing according to the NIST framework is really more of an adoption; you’re never really done.
- Use of industry-tested frameworks as references (i.e., NIST, COBIT, ISO). Many companies do not use them or use them enough.
Communicate Smartly, As You Go
At the core of implementation, however, is a need to communicate your efforts to top management, as you go. Such communication is a delicate, but important endeavor because there may be some misunderstanding of what you’re actually trying to achieve in complying with the framework.
Barnard notes that it’s often necessary to clarify that implementing (or not implementing) cyber policy according to the framework is a compliance risk. “If you have an approved risk-management policy and appetite for this path, it may be easier to follow,” he says. “The Enterprise Risk Management Framework looks at five risk areas: strategic risk, financial risk, compliance risk, hazard risk, and operational risk. You need to use enterprise risk management to speak senior management’s language.”
But framing the implementation as a case of enterprise risk management does not mean inundating with too much jargon or scare tactics that may cause doubt and lose their confidence. Thomas explains that there are a few ways to communicate to upstream management:
“Organizations I’ve seen with the most successful cybersecurity programs clearly link the risk scenarios with business goals and processes,” he says. “This way, upstream management can have more accountability over decision-making and prioritization guidance when it comes to risk appetite and tolerance. As a business executive, if you can link the cybersecurity risks to how they might affect my ability to create value for my stakeholders, you have my attention.”
Organizational culture is “architecture”: things like information, process, and technology, as well as organizational structures and people.
Bringing It All Together
A cyber framework that is both effective and compliant with NIST CSF needs to keep key points and issues front and center in establishing guidance that will succeed. Barnard hints that publicly broadcasted threats can be exaggerated and sometimes turn off top management. He advises being practical and focus on value.
“Demonstrate value to the organization in terms of protecting the organization’s reputation and customers’ information, as well as preventing unplanned expenses and regulatory audits,” he counsels. “Building the team starts after a program has been established with a governance committee. Conducting a skills gap assessment of the existing team will help guide the development of your team. Identify short-term wins to build on management’s confidence and gain their support for capital and resourcing. Develop a strategic business plan based on five-year tactical increments.”
Thomas says it comes down to focusing on information, technology, and security functions as service providers to the enterprise. Security is a service, so cybersecurity should be considered as a catalog of services, even with enterprise service-level agreements. “Once you understand what services are offered to the business, then you can create reasonable service-level agreements that outline how those services are delivered,” he says. Thomas also suggests leveraging the NIST, CSF, and COBIT as central frameworks to determine the most applicable guidance from other bodies of knowledge.
Implementing a robust cybersecurity framework, in compliance with NIST, is a daunting task. “You cannot do this alone,” Thomas cautions. In conclusion, he advises, “Seek alignment with other areas of the business: risk, audit, IT, and supported business units through a thorough analysis of goals alignment; as always, leverage industry best practices.”