The NIST Cybersecurity Framework: what it is and why you should use it
The latest ‘RSA Cybersecurity Poverty Index’ – an annual maturity self-assessment completed by a variety of organisations all over the world – shows that 67% of organisations had incidents that negatively impacted their business in the last 12 months. Only 24% of those businesses were considered mature in their security strategy. That means that the chances of having incidents are very real, while companies are not able to improve maturity to reduce risks.
It’s high time for improvement. Companies need to get the basics right, but that is not sufficient. One of the most recent and pragmatic initiatives to support further improvement is the NIST Cybersecurity Framework (more on this in one of the next blog posts). It identifies and gives advise about different phases of cybersecurity: Identify, Protect, Detect, Respond and Recover.
A made-to-measure solution
The NIST Framework is based upon various standards that have proven to be successful. While it targets organisations with critical infrastructure, businesses across nearly all industries can benefit from adoption.
The NIST Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk. Organisations will continue to have unique risks: different threats, vulnerabilities and risk tolerances. How they implement the practices laid out in the Framework will vary as well. Organisations can determine activities that are important to critical service delivery and prioritise investments to maximise the impact of every cent they spend. Ultimately, the Framework is aimed at managing and reducing cybersecurity risks.
A common taxonomy
Building from standards, guidelines and practices, the Framework provides a common mechanism for an organisation to:
- Describe the current cybersecurity posture;
- Describe the target state for cybersecurity;
- Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk.
You see, the Framework provides you with risk-based guidelines. They are designed tot help you evaluate current capabilities and to create a plan toward improved cybersecurity practices.