One of the most substantial expenses a business incurs generates no revenue and can be mathematically difficult to quantify. Cybercrime has become an open-ended cost center to businesses. For those businesses that don’t address cybercrime, they can lose eye-popping amounts of money (see Target, who has estimated the cost of their data breach has reached $202 million, and on May 23, 2017 settled a lawsuit with 47 states and the District of Columbia for $18.5 million). Worse, the stolen object might not be limited to your business’s data, but rather the entirety of your business. (See once venerable Nortel Networks, whose loss of intellectual property through corporate cyberespionage was the end of their existence). Alternatively, businesses have invested money in strategic planning for cybersecurity, a cost-loss that has rendered them more resilient to detecting intrusions and preventing the theft of intellectual property. Executives of businesses of all sizes are now trying to decide how to best limit their exposure to cybercrime, and the federal government has suggested a way to help.

The NIST Cybersecurity Framework (CSF) is a helpful, yet imperfect, document to guide a business through the creation of a cyber-risk management plan. The use of the NIST CSF will, however, provide your business with a good starting point to assess its cyber-risk, and take affirmative steps to mitigate losses from cybercrime. Used properly, the CSF can not only be a way to mitigate loss, but also to generate business with customers, other businesses, and with the federal and state governments by differentiating your business as more cybersecure and being able to explain the cybersecurity risk in your products. Managing your cybersecurity risk can be the difference between expansion and extinction for your business.

Overview of the CSF

The NIST CSF is a self-assessment tool for your business to understand its cybersecurity posture. The CSF is not federally-mandated, and you need not (and should not) share your self-assessment with the federal government or with other businesses. It is simply a tool for upper-level management to assess where their cybersecurity practices are at the moment, and where management wants to take its cybersecurity posture in a given time period. If done according to the CSF goals, the CSF will produce a strategic road map toward minimization of cybersecurity risk.

In the simplest terms, the CSF has three meaningful sections. The first section is the Framework Core. The second is the Framework Profile. The third contain Implementation Tiers. Each section will be briefly outlined below.

The Framework Core: The managerial tool for assessing cybersecurity risk

The Framework Core functions as the managerial overview of cybersecurity risk. The emphasis of the Core is on high-level strategic planning, outcomes, and repeatable methodology. The stated goal is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cybersecurity risk through the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five Functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk. Those Functions then break down into 23 Categories and 108 Subcategories, and matches Subcategories with Informative References such as existing standards, guidelines, and best practices.

The Core has five functions, in four categories. Identify: categories of outcomes like: asset management, governance, risk assessment, etc. Protect: Develop safeguards to ensure service delivery through risk management plan, such as: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function enables timely response and the potential to limit or contain the impact of potential cyber incidents. Respond- Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. Recover- Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event.

The importance for your business is that you will identify the data that is most valuable to the revenue production of your business, and the loss of which would have the most drastic consequences for the organization. You’ll strategize and operationalize how to protect that data, put in place mechanisms to secure it, and detect attempted intrusions directed at that data. You’ll plan responses to the intrusion, a technical response, and how to recover if that critical data is exfiltrated or inaccessible.

The Framework Profile: The self-assessment tool for where you are and where want to be in the future

The Profile is a self-assessment tool intended to represent the outcomes that a particular system or organization has achieved or is expected to achieve as specified in the Framework Categories and Subcategories. The Profile can be characterized as the alignment of industry standards and best practices to the Framework Core in a particular implementation scenario. The Profile’s smartest use assists an organization to identify opportunities for improving cybersecurity by comparing a “Current” Profile with a “Target” Profile. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. In short, the Profile functions as a self-assessment tool.

The Framework Profile is thin on guidance, but that may not necessarily be a defect. An active business can customize the profile to its needs. The business can mold it to protecting specific intellectual property, testing the security of its networks, testing employee behaviors with clicking on false links in emails that leave your network open to penetration, and so on.

The Profile enables leaders across the C-suite to determine the top priorities for the cybersecurity of your specific business and to install processes to protect those business requirements. For example, you can customize an assessment of how you’re storing your most important or sensitive data and test it against security and appropriate access. You can test specific vulnerabilities and score yourself and devise plans to improve that scoring over a period of time. The lack of guidance is balanced against the customization available to your business as you assess your system’s suitability to conduct the business of the organization.

The Implementation Tiers: Scoring your organization’s approach to cybersecurity

Framework Tiers describe how cybersecurity risk is managed by an organization. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4), progressing from informal, reactive implementations to approaches that are agile and risk-informed.

The Framework Implementation Tiers (“Tiers”) describe how an organization manages its cybersecurity risk. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should determine the desired Tier, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible and cost-effective to implement.

The Four Tiers:

· Tier 1: Partial: Organizational cyber security risk management is not formalized and is reactive; no external collaboration or cooperation.

· Tier 2: Risk Informed: Management is incorporated in cyber security management but is not organizational-wide policy; knows its role in the ecosystem but does not share or receive information.

· Tier 3: Risk-Informed and Repeatable: Cybersecurity risks are acknowledged and formalized in organization-wide policies that are updated when necessary. Shares and provides cyber threat information with suppliers and dependencies.

· Tier 4: Adaptive: Organization adapts cyber policies based on lessons learned and predictive analysis. Organization adopts a culture of cyber security and frequently shares information with suppliers and dependencies.

Conclusion

The NIST Cybersecurity Framework can become an invaluable tool to your business. If you are an executive at a business, and cybersecurity is a concern to you, then you will want to use this Framework to identify and mitigate your risk. If you’re an executive and you’re not concerned about cybersecurity…you should re-think that position!

The next blog post will cover how to use the NIST Cybersecurity Framework, and how you can work with my consulting firm to use and implement the Framework. Please drop us a comment if this helped you!