The NIST Cybersecurity Framework: A Resilience Guidebook

For Organizations of All Shapes and Sizes

Author

Steve McMichael
November 27, 2024

Cybersecurity can feel overwhelming when you see daily headlines about attacks and data breaches. It’s like staring up at a mountain, wondering where to even begin to climb. Where do you start? What do you need to know? 🤔 

One of the best guidebooks to begin with is the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). This concise, 32-page guide first released in 2014, has rapidly become the go-to resource for organizations looking to improve their cybersecurity posture. And for good reason: it's clear, comprehensive, free and remarkably effective.

I’ve found that it does a better job than anything that came before it of distilling all of the complexity of cybersecurity into just six functions, and orienting cyber risk conversations beyond just protection - to resilience. This approach “improves risk management communication” between executives, managers and practitioners as illustrated in figure 5.

Providing a common language and shared set of best practices that everyone can understand, from the boardroom (with 6 functions) to the front lines (with 22 categories of outcomes for managers and 106 subcategories for practitioners), fills a large communication void. This is crucial, because cybersecurity is not just a technical challenge, but a human one. Everyone has a role to play in keeping data and systems secure.

For your organization to demonstrate due diligence and due care in managing cyber risk, you can get started with these resources at nist.gov:

  1. Download the Small Business Quick-Start Guide or full document

  2. Create a CSF Profile using the provided spreadsheet template

  3. Analyze gaps and develop a prioritized action plan

  4. Repeat periodically to track progress, as illustrated in figure 3 Steps for creating and using a CSF Organizational Profile

You can drive meaningful cyber risk reduction by introducing a cadence of measuring current to desired state capabilities across six core functions of the framework:

Left of Boom (a security incident)

  • “IDENTIFY (ID): The organization’s current cybersecurity risks are understood”

  • “PROTECT (PR): Safeguards to manage the organization’s cybersecurity risks are used”

Right of Boom (it’s not a question of if, but when…)

  • “DETECT (DE): Possible cybersecurity attacks and compromises are found and analyzed”

  • “RESPOND (RS): Actions regarding a detected cybersecurity incident are taken”

  • “RECOVER (RC): Assets and operations affected by a cybersecurity incident are restored”

Throughout

  • “GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored”

Within each function are a set of categories and subcategories that provide more specific guidance, as seen in figure 1 CSF Core structure.

Another superpower of the CSF is its flexibility. It's not a prescriptive, heavy handed, one-size-fits-all checklist, but a voluntary framework that can be tailored to the organizational objectives you are looking to reliably achieve.

Working through the CSF can help you answer the following questions:

  1. 🔝 What are the top five cyber risks to my organization? 


  2. 💰️Am I getting the biggest return possible for my cyber risk management dollars?

  3. 👔 Do all our organization’s executives and leaders understand our cybersecurity plans?

  4. ⚠️ Does everyone at work know how they can help to mitigate our top cyber risks? 


  5. 🗣️ What do I tell our biggest customers or stakeholders when they ask, “What are you all doing about cybersecurity?”

You start with a simple but critical step: understanding where you are now. From there, you can develop a prioritized plan to address those gaps, focusing on the areas that pose the greatest risk to your organization. Then measure progress and adjust approaches as the threat landscape evolves.

By focusing on resilience, the CSF helps organizations prioritize their efforts and measure their progress over time. It's not about achieving perfect security, but rather about being able to withstand and recover from attacks. It's about having the right people, processes, and technologies in place to detect and respond to incidents quickly and effectively.

In a time where cyber threats are a constant reality, the NIST Cybersecurity Framework is an essential tool for any organization looking to improve its cybersecurity posture. It's a guidebook for resilience that can help you navigate the complex landscape of cybersecurity and build a stronger, more secure future.

So if you're feeling overwhelmed by the challenge of cybersecurity, don't despair. Start by downloading the CSF and doing a baseline assessment of your current posture. From there, you can create a plan to address your gaps and start building resilience, one step at a time. It's a journey, but with the right guidebook, you can reach your destination.