Excellence, then, is not an act!

It’s a saying that has been attributed to Aristotle and an American pro football player, but it was probably penned by author Will Durant: “Excellence, then, is not an act, but a habit.”  Whoever wrote it first, it’s a sentiment worth remembering and since the use of cyber security controls and frameworks should be a habit of excellence, we’ll use the quote to introduce this week’s post. 

In this post, we’ll talk about the NIST CSF v2, and show you that managing cyber security risk need not be like trying to juggle flaming chainsaws while riding a unicycle under the big top, and we’ll explain how you can use the NIST CSF 2.0 to ensure a comprehensive approach when identifying, assessing, and managing your organisation’s risks.

And to keep it light, we’ll pretend we’re at the circus!

So are you ready for the wonders of the new, one-of-a-kind NIST Cyber Security Framework?  When it comes to managing your organisation’s cyber risks, CSF v2.0 is the hottest show in town! You there, yes you! The one with SME business! And you, there, yes, you in the background, the one tasked with corporate risk management!  Come one, come all, and gasp in awe and wonder at the marvels of the new NIST CSF!

A little background

Fun fact: The first version of the CSF (it’s full title is, “Framework for Improving Critical Infrastructure Cybersecurity”) was published 10 years ago, in response to an Executive Order from then-President (US) Obama, for the establishment of a cybersecurity framework to help protect US critical infrastructure.

So, what’s the deal with this shiny new version?  Well, in summary, it’s a framework for today’s organisations.  Recognising that breaches will often happen despite controls, the CSF v2.0 places a stronger emphasis on cybersecurity resilience. The new version also addresses emerging technological trends and cybersecurity challenges, such as supply chain risk management and cloud computing security, and it is suitable for organisations outside the critical infrastructure sector. And finally, v2.0 also enhances guidance on how to use the framework for self-assessment and continuous improvement in cybersecurity practices.

In short, the CSF v2.0 provides the flexibility that is needed to allow organisations (irrespective of industry, size and maturity) to understand cyber threats, baseline their current cybersecurity posture, set goals for improvement, and communicate their maturity-improvement progress to stakeholders.  

Step right up!

Build your own ride with the CSF

At the heart of the CSF 2.0 lies the CSF Core, a veritable panoply of cyber security outcomes organised into a hierarchy of functions, categories, and subcategories. 

Let’s look at functions, first since they are the main act for everything from establishing a risk management strategy to identifying risks, implementing safeguards, detecting incidents, responding to threats, and recovering from impacts.

Appearing for the first time in v2.0, the “Govern” function is new to the CSF lineup and it’s included to emphasise the importance of aligning cyber security policies, processes, and strategies with the organisation’s overall goals and regulatory requirements.  In our circus analogy, the Govern function is your ring master, ensuring that cyber security considerations are integrated into decision-making processes and that there is a continuous evaluation of cyber security policies and practices against evolving risks and threats.

The other five functions that appear in v2.0 equally important to the success of the show but they were also in earlier versions, so we’ll mention them just briefly here:

  • Identify – Develop an organisational understanding to manage cyber security risk to systems, assets, data, and capabilities.

  • Protect – Implement safeguards to ensure delivery of critical infrastructure services.

  • Detect – Implement appropriate activities to identify the occurrence of a cyber security event.

  • Respond – Take action regarding a detected cyber security incident.

  • Recover – Maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident.

Diving deeper into the CSF 2.0 Core, we encounter Categories and Subcategories.

Categories (such as “Access Control” or “Data Security”) are overarching groups of cyber security outcomes and practices, while Subcategories break down the Categories into more specific objectives.

Subcategories provide a finer level of granularity and offer guidance on specific outcomes or practices that should be achieved to enhance an organisation’s cyber security posture. Examples of Subcategories within the “Access Control (AC)” Category include:

– AC-1: Implement least privilege access controls to limit access to authorised users.

– AC-2: Manage the use of privileged accounts through secure authentication and monitoring.

Like our circus contortionist, Subcategories deliver the flexibility that allows an organisation to pinpoint exact areas of focus within a Category, ensuring that no part of their cyber security posture is too rigid or overstuffed to adapt to new threats.

Profiles and tiers: Tailoring the CSF

As every great performer knows, it’s important to play to the audience and there’s nothing like experience to improve your skills. And that is why (more or less!) the CSF v2.0 introduces Profiles and Tiers, allowing you to customise your use of the CSF and meet your organisation’s specific needs and desires.
  • Profiles in the CSF 2.0 bring customisation and the ability for organisations to tailor their cyber security framework in a way that aligns with their specific operational goals, risk appetite, and regulatory requirements. An organisation can select a profile that best matches its current cyber security posture and desired outcomes.

  • Tiers in the CSF 2.0 bring scalability and efficiency, and provide a mechanism for organisations to gauge their level of cyber security maturity and readiness. Tiers offer a structured approach for organisations that want to progress from basic to advanced levels of cyber security maturity in a systematic and efficient manner.

By leveraging Profiles and Tiers, organisations  can ensure that their cyber security measures are not only tailored to their specific needs but also capable of evolving and adapting over time

Not my circus; not my monkeys!

We sometimes see security controls deployed as part of a chaotic juggling act that is choreographed (albeit with good intentions) by sales pitches and gut feelings, and the results of that approach are likely to be expensive, ineffective and time consuming. That need not be the case however because the CSF allows you to instead adopt a risk-based prioritisation of requirements-oriented controls, as easy as 1-2-3…   Okay, maybe a few more steps, but you get the idea!

  • Implementing the NIST CSF starts with creating a Current Profile, which assesses your organisation’s existing cyber security measures and how they align with CSF outcomes. This step identifies your current cyber security status and highlights areas for improvement.

  • Next, develop a Target Profile, outlining the desired cyber security outcomes based on your organisation’s specific risks, requirements, and objectives. This serves as a strategic guide for enhancing cyber security practices.

  • Perform a gap analysis to pinpoint discrepancies between your Current and Target Profiles. This analysis enables you to prioritise actions and allocate resources effectively to address critical gaps. Formulate an action plan detailing the steps, timelines, and responsibilities needed to achieve your cyber security goals.

  • Integrating your cyber security risk management with the organisation’s overall enterprise risk management (ERM) program is crucial. The NIST CSF 2.0 aligns with other risk management frameworks, facilitating a unified approach to managing cyber security as a component of broader business risks.

  • Ensure continuous communication about your cybersecurity progress, using the CSF’s structured approach for clarity. This aids in keeping stakeholders informed and aligned with the cybersecurity objectives.

Remember, implementing the CSF is a continuous effort that should evolve with your organisation. The CSF’s emphasis on understanding current risks, setting target goals, and measuring progress enables you to allocate resources more effectively and efficiently. This risk-based approach helps ensure that your cyber security efforts are focused on the most critical assets and vulnerabilities while demonstrating the value and impact of your cyber security investments to stakeholders. 

So, where to from here?

Don’t let the challenges of implementing the NIST CSF 2.0 turn into a circus! Instead, let DotSec’s team of experienced experts help, assisting you to assess your current cyber security posture, craft a tailored road map to achieve your desired security outcomes, and provide continuous support to close any gaps. 

To paraphrase the Ringling Bros., the CSF v2.0 has the potential to be the greatest cyber security framework on earth! And when it comes to implementation, with DotSec at your side you’ll have access to a comprehensive suite of cyber security services, from vulnerability assessments and penetration testing to incident response planning and security awareness training, ensuring your cyber security measures are as robust and effective as possible.

Our resources, including insightful blog posts on the latest trends and strategies in cyber security, are designed to keep you informed and prepared. 

Don’t walk the control-frameworks tightrope alone; give us a call so that we can be your safety net and help you to bask in the limelight of risk-management success.