In five years, NIST has gone from being a framework to help develop an effective security program and posture, to a recognized process that has enabled successful conversations to bridge the gap between security and senior leadership. The NIST Cybersecurity Framework (CSF) was originally introduced at a time when large-scale cyber attacks (such as CryptoLocker ransomware) were just starting to get more and more public visibility. This meant that these attacks were also getting noticed by management and ‘the board’. The NIST Cyber Security Framework is a standard meant to set goals, measure gaps in your cyber program, and set forth a guidance for best practices to better cyber security posture. This year is the fifth anniversary of existence so to celebrate, we’re introducing five fun facts.
1. Within the five years of its launch, NIST has seen its Cybersecurity Framework extend its guidance beyond US borders.
NIST reports that several other nations have adopted their own adaptations of the Framework; these include Bermuda, Israel, Italy and Japan. It is growing in popularity, accuracy, and success. It is so commonly accepted because it creates a seamlessly easy standard to implement for any size organization within any industry.
2. One of the biggest accomplishments of this framework are the benefits it provides to the small business and non-profit sectors.
The biggest vulnerability SMBs have is their lack of expertise in cybersecurity. Most SMBs don’t know where to begin when it comes integrating the right tools especially because they don’t have the internal experience like the larger corporations do. The NIST CSF was designed with the intent to help them overcome this common hurdle. In addition to the framework in August of 2018, the NIST Small Business Cybersecurity Act was established to circulate consistent, clear, concise, and actionable cybersecurity resources to small businesses. The Small Business Cybersecurity Corner resources are available at https://www.nist.gov/itl/smallbusinesscyber.
3. It bridges the gap between IT and upper management.
While this framework can help SMBs point out their strengths and weaknesses and make suggestions to enhance their cybersecurity posture, the decision making and policy making need to come from within. In addition to providing a framework to help organizations develop an effective security strategy, it has also enabled conversations on cybersecurity risk to occur between the security team and senior leadership using a language that both can understand. With this framework, organizations can bridge the gap between IT and management to create common goals to establish a proactive cybersecurity strategy.
4. The Framework is easy to personalize.
Because of its detailed creation and its ability to be easily personalized, the NIST Cybersecurity Framework provides scalable solutions for organizations of any size and industry. The framework was originally developed to complement the energy, banking, communications and the defense industrial base sector but has found its way into other industries over the last five years. As it continues to face wide-scale adoption and recognition, the NIST Cybersecurity Framework will only continue to improve cybersecurity policies and procedures for organizations.
5. The NIST CSF is expected to be utilized by 50% of all U.S. organizations by 2020.
While only 30 percent of U.S. organizations used the framework in 2015, by 2020 the percentage is predicted to rise to 50 percent, according to Gartner. Choosing to align with the Framework is a recommended choice for cybersecurity programs because it is something easily adaptable across all organizations. With the newest revision, self assessments will allow you to understand risk of your organization and use benchmarks to optimize success.
We believe the NIST CSF is a great guidance for our clients to align with their cybersecurity strategies. To help get them on a plan for implementation, we created a 4 step guide. We want to help your organization achieve the same success.