The first blog post in this series provided an overview of the NIST Cybersecurity Framework. This post discusses how to use the CSF and why you should implement it in your business or agency. At the outset, I recommend that you use an outside consultant to assist with the implementation of the CSF. Inside your business, each person has restraints on why something isn’t, or shouldn’t be, done. The CIO or CISO will have technical issues and limitations. The CFO will have very real budget limitations because, first, money is a finite resource; and second, the CFO must justify spending resources on non-revenue producing services. The COO will have concerns about the accessibility of information to workers. Your company will benefit from a neutral mediator that can mediate divides between the executives to arrive at the best solution for your business, the one that mitigates the most amount of risk for the resources you can devote.

How to Use the CSF

The CSF provides a basic overview of cyber security for senior management. It answers how the organization is doing and provides a plan for moving ahead to accomplish goals. The CSF can be implemented in six steps.

· Step 1: Identify. The organization identifies its mission objectives, related systems and assets, regulatory requirements and overall risk approach. The company identifies its business requirements and attaches those requirements to specific systems, networks, software, hardware, and access structure.

· Step 2: Create a Current Profile. Beginning with the Categories specified in the Framework Core, the organization develops a Current Profile that reflects its understanding of its current cybersecurity outcomes based on its implementation of the Identify Function. The organization selects key subcategories representative of its business requirements and selects metrics by which to quantify its current performance on mitigating cybersecurity risk to the infrastructure that supports those processes.

· Step 3: Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood (mathematical probability) of a cybersecurity event and the impact that the event could have on the organization. The impact should reflect both the actual costs to remediate the consequences of the risk and should quantify the losses to the organization derived from the event. It is important that critical infrastructure organizations seek to incorporate emergent risks and outside threat data to facilitate a robust understanding of the likelihood and impact of cybersecurity events. The general public is more reliant upon these critical infrastructure organizations for basic necessities, and therefore these organizations have a higher duty of care in matters of cybersecurity risk mitigation.

· Step 4: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Elements (e.g., Categories, Subcategories) describing the organization’s desired cybersecurity outcomes. The Target Profile should use the same metrics as the Current Profile, and the selected goals should be measurable and comparable on-demand.

· Step 5: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps, and then determines resources necessary to address the gaps. Attaching operational and tactical steps to these gaps will produce operational plans around the strategic plan. Specific tactical plans should focus on: 1) responding to a cyberevent, 2) recovering from a cyberevent, 3) communication before, during, and after a cyberevent to the appropriate groups, and 4) communicating your cybersecurity risk in the supply chain to vendors and customers and consumers.

· Step 6: Implement Action Plans. The organization implements the steps defined in the action plans and monitors its current cybersecurity practices against the Target Profile. This plan should be communicated to interdependent partners, especially where supply chain cybersecurity risk management is concerned.

Developing a Team to Implement the Framework

The NIST CSF is a top-down, management-level view of cybersecurity within the business. It’s an executive management tool. Thus, the individuals within an organization that should be part of the cybersecurity planning team could include the CEO, the CFO, the CIO or CISO, the COO, the CTO, the CRO and the outside consultant that will facilitate the planning discussions amongst these representatives.

The CEO should be included because he or she has ultimate decision-making responsibility in each facet of the plan and sees the context in which each step impacts the entire business. The CEO must weigh the cybersecurity risks and vulnerabilities against the need for information access and the manner in which the business is run against the financial impact of the recommendations. The CEO must be able to communicate overall cybersecurity risk and risk mitigation to the Board of Directors or legislative oversight authority.

The CIO or CISO understands the company’s network, its data storage and accessibility structure, and the external risks the company faces each day. The CIO must know the information the company stores. It must know where the intellectual property is located and how it is protected and do the same for personal identifying information that the network possesses. The CIO must know what personnel, internal and external to the organization, can access what information, and what barriers are in place to protect that information from external threats (hackers) and internal threats (employees negligent in their care of information, or rogue employees working against the company’s interest). The CIO must know the technical capabilities of network protection, the information that must be protected, and from whom, and the working needs of the business. The CIO must also formulate responses to intrusions and the loss of data.

The COO understands the corporate structure and what parties need access to what information. The COO needs to decide the restrictions on information balanced against the need for operational efficiency. The COO must also understand the consequences a loss of data might have on each section of the business. The COO must also focus on the quality of the information, as marked both by its integrity and confidentiality requirements.

The CFO understands the finances of the company. This understanding comes to light in two separate places. First, what resources are available to be spent on implementing the recommendations in the CSF plan? Second, what would be the financial impact upon the business if certain information was breached and lost? What would be the loss in business revenue? What disclosures should be made to the public, and how would that affect the company financially? These reflections could be in lost revenue to the business, money expended to remediate the breach, or a loss in stock price due to the financial impact of the breach, or the lost confidence caused by the breach. The CFO can work with the CISO to develop the numbers and risk formulas that will prioritize cybersecurity risk mitigation efforts.

The outside consultant must, like the CEO, see the big picture for the business, but also must be detail-oriented for making specific and effective recommendations. The outside consultant must work with each of the interested individuals individually, while also addressing valid concerns raised by one to the whole group. The outside consultant must bring about effective strategic and operational plan, and that involves an honest broker communicating information as needed, understanding the business and the information and security needs, and understanding the limitations faced within the organization. The outside consultant, finally, must be able to directly work with the CEO so that the CEO can make the most-informed decisions as to each part of the CSF implementation.

Conclusion

Implementing the NIST CSF is an important decision for a business. As cyber-risk grows, not just in threat vectors but in financial magnitude, planning for how to mitigate that cyber-risk becomes of paramount importance. The best planning involves all of the upper-level management, acting in their individual roles within the organization, and with the best interests of the organization in mind, to bring about the most realistic and efficiently-implemented plan.