5 Ways the NIST Cybersecurity Framework Can Improve Your Cyber Corporate Governance Initiatives

Many directors and non-tech clients often ask, "is there one critical document or article that I should read to help me understand all this stuff about cybersecurity?" It is an excellent question.  My response is always the NIST cybersecurity framework, which was announced by the Obama Adminstration in Feb. 2014. Why is it critical?  The NIST cybersecurity framework ("the CSF") is kind of like the Declaration of Independence and the Constitution of the US.  As these two documents are the foundational documents of our country, so is the NIST the foundational document when comes to a unified national "standard" for cybersecurity.

Even today many articles continue to refer to the CSF as a good idea. IBM Says Know Your Security Posture: The Key To Incident Response is Understanding Your Risks I like the NIST CSF too because it is easy and simple to understand, and explain to a lay person who knows nothing about cybersecurity.  It is a way to involve all in cybersecurity conversations without turning anyone off to incessant technobabble. It is a way for boards to communicate with senior management and IT staff, and vice versa.  Here are 5 very important ways the NIST CSF can help your company deal with cybersecurity corporate governance issues:

Identify:  Probably the most important of all the elements of the CSF.  Simply put, if I don't know what data I have, and value it in terms of importance and criticality (what are my crown jewels? what data, if lost, would sink my ship?), and if I don't know where it is stored (e.g. the US, UK or EU), there is no way to devise a good, comprehensive defense cybersecurity strategy that both works, and comports with existing rules and regulations on cybersecurity and privacy.  Have this conversation. Document it.  Do the same for your network equipment, office computers, mobile devices, laptops, Ipads and smart phone.  Where are they location wise? Who has mobile devices that access the networks? It all starts from here.

Defend: This follows from Identify.  How and where and with what devices and solutions am I protecting my crown jewels.  Am I taking enough precautions, or should I do something different to protect them (tokenization, encryption) from attackers?  Do I have enough IT staff?  Do I have completely visibility into my network or cloud environment? Should I rely on my firewalls and intrusion detection solutions alone, or its it time to update to a Machine Learning cyber defense solution?  One word of advice here. "Protect the Most Which Matters the Most."

Detect: Second most important NIST CSF element.  How am I detecting potentially malicous traffic on my network or cloud environment? Do I have visibility of all my enpoints? Should I retire my SIEM and move to a machine learning solution for better visibility. Finally should I be moving to a cybersecurity automation and orchestration solution in order to help my incident responders deal with the exponential growth of network traffic?

Respond:  This goes hand in hand with the Detect element of the NIST CSF.  Our advice here: use whatever the best solution you can afford to know at the earliest possible moment if you have been breached.  5 months of dwell time on a network can allow an attacker to really make your life miserable.  Do what you can to kick him off your network at the earliest possible moment. And make sure your incident response plan is battle-tested and ready to implement.

Recover:  Its all about resilence here.  You will be attacked.  You will be breached.  Plan for the worst.  Hope for the best. Have a business continuinuty plan (#backitup)  and crisis management plan ready to go?  Make sure it is practiced, and that all know how to proceed.

By having NIST based conversations with your board, C-Suite and senior management every year, you can accomplish alot -- good governance -- better understanding -- and hopefully a better more comprehensive response to a cyber attack.  Don't take the NIST lightly.  Use it as your foundation document for crafting your whole cyberdefense strategy and your cybersecurity corporate governance strategy. Document your actions.  And follow through.  You will not reget it.