By Tenable Network Security
In today’s world of complex IT environments, security is a top priority for all organisations. But it can be a huge challenge for CISOs to ensure that their security programs are effective, protective and efficient. The goal is always the same: to prevent attackers from doing harm. But is there a best solution to achieve that goal? Recently, several security frameworks have gained stature to help organisations stay on track, the most popular ones being the Center for Internet Security Critical Security Controls (CSC), ISO/IEC 27001/27002 (ISO 27K) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF).
The NIST Cybersecurity Framework was created to help organisations make more effective decisions and optimize investments in security controls to effectively manage cybersecurity risk. Developed as a private-sector led effort (in cooperation with the U.S. government) for organisations in critical infrastructure industries, the CSF is based on globally accepted standards, guidelines and best practices for reducing cybersecurity risk. The CSF is also customizable, providing a flexible, risk-based implementation approach. It enables different organisations to select the cybersecurity management processes that best fit their situation.
Even in the same industry, each organisation may have a different security posture, so an adaptive framework can help you better prioritize and reach achievable goals and objectives. Because the CSF is a voluntary framework covering best practices across many industries, it has established itself in the U.S. as a tried and true framework for government agencies, industries and organisations of all types. PWC states, “It is our opinion that the NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards.”
While the CSF is just two years old, Gartner predicts that “By 2020, more than 50% of organisations will use the NIST Cybersecurity Framework, up from the current 30% in 2015.” With such widespread acceptance, the CSF is worth serious consideration by any organisation in any country. Indeed, the Framework states “the Framework can contribute to developing a common language for international cooperation on critical infrastructure cybersecurity.”
The CSF Core specifies five continuous functions to improve a security posture:
- Identify – Develop understanding of and visibility into all assets to manage cybersecurity risk
- Protect – Develop and implement safeguards to ensure delivery of critical infrastructure services
- Detect – Implement activities to identify cybersecurity incidents
- Respond – Implement activities to take action in response to a detected event
- Recover – Develop activities to maintain resilience and to restore services that were impaired due to an attack, compromise or breach
These functions are the “high level view” of functions that drive security outcomes. The core functions are further divided into over 100 categories and subcategories, similar to “controls” or “control objectives” in other security frameworks. These controls enumerate activities that support and implement the core functions.
There are two control types: administrative and technical:
- Administrative controls are procedural, implemented and audited using manual processes.
- Technical controls account for about 50% of all of the CSF controls. These technical controls deal with huge amounts of fast moving data, requiring automation to implement and audit them. Look for a security product that implements CSF technical controls in reports, dashboards, analytics, and compliance audits.
The NIST CSF is a flexible, comprehensive security framework that is universal in nature. While its origin is in the U.S., it is recognized worldwide as a standard worth consideration by all organisations. The CSF controls provide a solid foundation for a strong and defensible security program that meets the requirements of several other compliance standards. CISOs can select CSF functions and controls that meet their specific needs, regardless of industry or geography.