They say that knowing is half the battle. Thanks to the NIST Cybersecurity Framework, businesses can know where they stand and where they need to go by taking an objective look at their current cybersecurity posture. For this blog post, we’ll focus on what a company, with an immature cybersecurity program, should consider when tackling cyber challenges. Cybersecurity professionals make decisions and provide guidance based on risks. The most “bang for your buck” can be had from the first two sections of the NIST Cybersecurity Framework; Identify and Protect.
NIST Cybersecurity Framework
For companies starting to address their cybersecurity concerns, the first step is to identify your current cybersecurity state. This includes defining your systems and how they pertain to the success of your business. As well as identifying risks associated with those systems. A business must choose how they will decide to govern themselves and which frameworks they will utilize to mitigate and reduce risk. In this phase, a business will have a clear understanding of assets and liabilities that need to be addressed to build a strong cybersecurity program.
So, what does that all mean from a functional standpoint? In this phase, a business will perform a Risk Assessment. Additionally, they will create documented policies and procedures that will define their approach to specific cybersecurity concepts. These two actions will help bring awareness to where they stand and how they will address cybersecurity.
The Protect Phase is the implementation of policies defined to protect assets in the Identify Phase. These policies may be technology related, such as configuring requirements for a strong password policy, or they may be functional, like requiring all employees to attend a security awareness training discussion. The whole goal of this step is to practically reduce the risk to your organization as it pertains to the confidentiality, integrity, and availability (CIA) of your data and systems.
Some of the implementations needed to protect CIA and reduce risk may be far beyond the typical functions of a business. Meaning, for example, a business in the manufacturing industry may not have the capability to conduct a penetration test in-house. It’s likely a business just starting to address cybersecurity will need to rely on their managed service providers, in-house IT department, or a 3rd party consulting firm to assist in meeting all the goals of the “Protect” phase.
Conclusion: Reduce the most risk in the first two phases
In conclusion, when a business decides it is time to invest in cybersecurity protections they need to complete all the steps of the NIST Cybersecurity Framework. When starting out, the first two phases: Identify and Protect can offer a significant amount of risk reduction. As the business’s cybersecurity program matures, they will move into the later phases which will ultimately lead to a necessary defense in depth approach.