The National Institute of Standards and Technology, established in 1901, has worked to promote innovation and quality standards in industry for over 120 years. NIST Cybersecurity Framework 2.0 is the iteration of the NIST Cybersecurity Framework.
According to NIST.gov, it provides “guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization – regardless of its size, sector, or maturity – to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document describes CSF 2.0, its components, and some of the many ways that it can be used.”
While some thought leaders have described the lack of prescription on how to achieve outcomes as a drawback, it is not unintentional. The fact that NIST does not tell business leaders how to achieve desirable cybersecurity outcomes is a means of enabling organizations to optimize their processes in the way that works best for them. When you look at the functions of the Framework, you will notice that their order of appearance looks strange.
The reason for this is two-fold. First, all of the functions contain aspects of all the other functions, making them holographic in nature. Second, every business is unique, with unique needs and processes that cannot accept strict prescriptions.
Small businesses in Pennsylvania, like yours, need to be able to remain agile and customize their data security processes in a way that works for them. Here, our topic is how and why to achieve the best results from integrating the NIST Framework following your unique needs.
Understanding The NIST Cybersecurity Framework 2.0
In our two most recent posts, we discussed the form, function, and utility of the Detect and Recover Functions of the Framework.
In so doing, we discovered that each function contains processes of the others and interlocks with them fully. For example, with the Recover function, we find processes that can be described as attributable to the Protect, Identify, and Respond functions.
To recover fully, an organization needs to be ready for an attack, much in the same way a boxer maintains balance and a defensive posture. We set ourselves up to take a hit, endure it, and move fluidly through to Recover processes. Further, in the Detect Function, we find attributes of the Recover, Identify, Protect, and other functions.
Understanding this, we see that as we move through the various functions of the NIST Framework process, we are performing all of them simultaneously and in parallel. The result of this deep interconnectivity is a system that works well no matter what point you start at. Of course, this also means that the default arrangement of the functions can look a bit strange at first glance. For example, likely most of us would intuitively place “detect” ahead of “Identify.”
But that’s not how NIST arranges them. So why is this? The reason for this is the same reason why there are no direct prescriptions on how to achieve key listed outcomes. These things are there because the whole process was designed with the assumption that every business that uses it will customize it for its own specific needs. In other words, customization is an embedded attribute of the Framework. Though it remains unwritten, customization is required. That being said, let’s look deeper into the meaning and importance of customizing the NIST Framework to suit your unique business needs.
But first, let’s review the Core NIST Functions.
Govern
The Govern function is the latest addition to the list, and it’s one we have not talked about yet.
It is designed to add needed guidance to the other functions that have been designed as intentionally vague. It was developed relatively recently to mitigate the chaos of decision-making, add accountability, clear up confusion and inefficiency, and reduce and repair reputational harm.
Identify
The Identify Function helps businesses to develop a cross-organizational understanding to manage systems risk and the vulnerabilities associated with personnel, data, assets, and capabilities.
It enables an organization to focus its efforts on creating a consistent risk management strategy in line with the unique needs of the organization.
Protect
Protect NIST function illustrates specific safeguards designed to ensure the delivery of essential infrastructure services. It supports the organization’s ability to contain or limit the harms that can arise from cybersecurity events.
It comes with one of the longest lists of expected outcomes among the Functions as it is perhaps the most core and essential of all the functions.
Detect
The subject of one of our most recent articles on the Framework, the Detect Function defines activities that are key to the identification of threats, attacks, and anomalous events.
It is closely tied to the Respond, Detect, Protect, and Identify functions for obvious reasons. Its list of expected outcomes is relatively short, but it too is tightly interwoven with the other functions and includes processes that run through all of them.
Respond
The Respond Function incorporates activities that are key to detecting a potential cybersecurity event.
This is somewhat counterintuitive, but what we learn as we study the functions as a whole is that all of the functions include parts of the others so that we can effectively run the process in its entirety in parallel at all times.
Recover
The final function in the official lineup outlines activities appropriate for the maintenance of resilience processes. Once again, these processes run throughout the five primary functions, making it possible to be properly positioned to affect a meaningful data recovery at all times.
In our discussion of the Recover Function, we compared it to the stance of a boxer, which is meant to provide stability at all times and not just while he is being struck by his opponent.
Why NIST Cybersecurity Framework Customization Is Necessary
The Framework continues to surprise in its sophistication, especially when you begin to consider the value of the counterintuitive way the functions are lined up by default: Govern, Detect, Identify, Protect, Respond, and Recover.
So, why are they set up this way?
The answer is that they are like this for two reasons.
First, because all of the functions of each are distributed throughout all of the other functions. So, Identify functions are running even when the Respond Function is triggered, protect Functions are as well, and so on for the lot of them.
The second reason is NIST wanted to leave no question in the minds of business owners when it comes to whether or not the Framework should be streamlined and customized specifically for their own unique business needs.
What we learn from all of this is that customization is not only recommended, but also essential. Every organization, business, and agency is different. Every business model is unique, even in the same industry. Every merchant serves a unique group of customers, even if they sell similar types of goods and services.
Of course, even similar businesses working in different parts of the state will have different needs and processes. As a result, every organization will store, use, and track sensitive business data in different ways. That means every organization is going to have different vulnerabilities when it comes to cybersecurity. Therefore, it follows that every organization is going to have different data security needs.
They will need to organize the NIST core functions in accordance with how they will use them.
To achieve this, working with a data security expert service, trained and experienced in the NIST Framework will be necessary. These experts should be consulted and worked with closely. This will be true for almost any organization, at least in the initial stages of integration. After your custom NIST Framework is set up and optimized to your needs, you may be able to go it alone. After that, your data security processes can be cut back to the absolute essentials to save time and money, as long as human vigilance remains intact.
Finally, and this cannot be stressed enough, businesses in Pennsylvania face another serious consideration when it comes to cybersecurity. Namely, steep regulatory compliance requirements.
As you know, if someone walks onto your property and has a slip and fall injury/accident, you can be held liable. The same is true when a customer buys something through your sales portal and has his data compromised by a hacker or malware. You are likely to be held accountable for damage to a customer’s privacy, data, or financial security when they do business with you online and suffer an attack.
Not only is this the case, but federal law also requires businesses to take proactive measures to maintain regulatory compliance. What’s more, cybersecurity insurance providers are likely to deny you coverage if you don’t adhere to all best practices in this regard.
Further, cybersecurity insurance is now considered to be the most important part of data recovery capabilities because security is never 100% foolproof. This means there’s no room for error in this regard in Pennsylvania.
Know Where You Stand
NIST also provides some valuable self-assessment tools to help organizations find out precisely what their risk profiles are and sort out their needs so that they can develop a custom setup that works for them.
It is a step-by-step checklist customized for small businesses in PA, and using it is highly recommended.
In conclusion, the importance of customizing the NIST Cybersecurity Framework to meet the needs of your small business in PA cannot be overstated. You must work closely with proven, trusted professionals in this field to get the best results from NIST Framework implementation. Fortunately, there is a wealth of resources you can use to help in this endeavor, including the experience of SMBs just like yours that have already been through the process.
Now is the time to take action and secure your small business. Get in touch today to learn more.