In this post, we’ll talk about using the NIST CSF v2, and show you that managing cyber security risk need not be like trying to juggle flaming chainsaws while riding a unicycle under the big top!
We’ll explain how you can use the NIST CSF 2.0 to ensure a comprehensive approach when identifying, assessing, and managing your organisation’s risks.
And to keep it light, we’ll pretend we’re at the circus!
So are you ready for the wonders of the new, one-of-a-kind NIST Cyber Security Framework? When it comes to managing your organisation’s cyber risks, CSF v2.0 is the hottest show in town!
It’s a saying that has been attributed to Aristotle and an American pro football player, but it was probably penned by author Will Durant: “Excellence, then, is not an act, but a habit.” Whoever wrote it first, it’s a sentiment worth remembering and since the use of cyber security controls and frameworks should be a habit of excellence, we’ll use the quote to introduce this week’s post.
In this post, we’ll talk about the NIST CSF v2, and show you that managing cyber security risk need not be like trying to juggle flaming chainsaws while riding a unicycle under the big top, and we’ll explain how you can use the NIST CSF 2.0 to ensure a comprehensive approach when identifying, assessing, and managing your organisation’s risks.
And to keep it light, we’ll pretend we’re at the circus!
So are you ready for the wonders of the new, one-of-a-kind NIST Cyber Security Framework? When it comes to managing your organisation’s cyber risks, CSF v2.0 is the hottest show in town! You there, yes you! The one with SME business! And you, there, yes, you in the background, the one tasked with corporate risk management! Come one, come all, and gasp in awe and wonder at the marvels of the new NIST CSF!
Fun fact: The first version of the CSF (it’s full title is, “Framework for Improving Critical Infrastructure Cybersecurity”) was published 10 years ago, in response to an Executive Order from then-President (US) Obama, for the establishment of a cybersecurity framework to help protect US critical infrastructure.
So, what’s the deal with this shiny new version? Well, in summary, it’s a framework for today’s organisations. Recognising that breaches will often happen despite controls, the CSF v2.0 places a stronger emphasis on cybersecurity resilience. The new version also addresses emerging technological trends and cybersecurity challenges, such as supply chain risk management and cloud computing security, and it is suitable for organisations outside the critical infrastructure sector. And finally, v2.0 also enhances guidance on how to use the framework for self-assessment and continuous improvement in cybersecurity practices.
In short, the CSF v2.0 provides the flexibility that is needed to allow organisations (irrespective of industry, size and maturity) to understand cyber threats, baseline their current cybersecurity posture, set goals for improvement, and communicate their maturity-improvement progress to stakeholders.
Step right up!
At the heart of the CSF 2.0 lies the CSF Core, a veritable panoply of cyber security outcomes organised into a hierarchy of functions, categories, and subcategories.
Let’s look at functions, first since they are the main act for everything from establishing a risk management strategy to identifying risks, implementing safeguards, detecting incidents, responding to threats, and recovering from impacts.
Appearing for the first time in v2.0, the “Govern” function is new to the CSF lineup and it’s included to emphasise the importance of aligning cyber security policies, processes, and strategies with the organisation’s overall goals and regulatory requirements. In our circus analogy, the Govern function is your ring master, ensuring that cyber security considerations are integrated into decision-making processes and that there is a continuous evaluation of cyber security policies and practices against evolving risks and threats.
The other five functions that appear in v2.0 equally important to the success of the show but they were also in earlier versions, so we’ll mention them just briefly here:
Diving deeper into the CSF 2.0 Core, we encounter Categories and Subcategories.
Categories (such as “Access Control” or “Data Security”) are overarching groups of cyber security outcomes and practices, while Subcategories break down the Categories into more specific objectives.
Subcategories provide a finer level of granularity and offer guidance on specific outcomes or practices that should be achieved to enhance an organisation’s cyber security posture. Examples of Subcategories within the “Access Control (AC)” Category include:
Like our circus contortionist, Subcategories deliver the flexibility that allows an organisation to pinpoint exact areas of focus within a Category, ensuring that no part of their cyber security posture is too rigid or overstuffed to adapt to new threats.
By leveraging Profiles and Tiers, organisations can ensure that their cyber security measures are not only tailored to their specific needs but also capable of evolving and adapting over time
We sometimes see security controls deployed as part of a chaotic juggling act that is choreographed (albeit with good intentions) by sales pitches and gut feelings, and the results of that approach are likely to be expensive, ineffective and time consuming. That need not be the case however because the CSF allows you to instead adopt a risk-based prioritisation of requirements-oriented controls, as easy as 1-2-3… Okay, maybe a few more steps, but you get the idea!
Remember, implementing the CSF is a continuous effort that should evolve with your organisation. The CSF’s emphasis on understanding current risks, setting target goals, and measuring progress enables you to allocate resources more effectively and efficiently. This risk-based approach helps ensure that your cyber security efforts are focused on the most critical assets and vulnerabilities while demonstrating the value and impact of your cyber security investments to stakeholders.
Don’t let the challenges of implementing the NIST CSF 2.0 turn into a circus! Instead, let DotSec’s team of experienced experts help, assisting you to assess your current cyber security posture, craft a tailored road map to achieve your desired security outcomes, and provide continuous support to close any gaps.
To paraphrase the Ringling Bros., the CSF v2.0 has the potential to be the greatest cyber security framework on earth! And when it comes to implementation, with DotSec at your side you’ll have access to a comprehensive suite of cyber security services, from vulnerability assessments and penetration testing to incident response planning and security awareness training, ensuring your cyber security measures are as robust and effective as possible.
Our resources, including insightful blog posts on the latest trends and strategies in cyber security, are designed to keep you informed and prepared.
Don’t walk the control-frameworks tightrope alone; give us a call so that we can be your safety net and help you to bask in the limelight of risk-management success.
