NIST CSF: Implementing NIST CSF
Introduction
The National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF, was first published in 2014 to provide voluntary guidance for organizational cybersecurity defenses and risk management. This framework combines industry standards with best practices and is renowned for its inherent flexibility and open-endedness to account for different organizational needs.
The implementation of NIST CSF is just as flexible, which begs a question. How do you get around the challenges associated with implementing the framework?
Get NIST CSF training
But don’t worry: by following the best practices explored below, implementing the framework in your organization can be more successful. This article will detail the challenges associated with implementing the framework and will present best practices that will help organizations deal with these challenges and better reap the benefits that NIST CSF offers.
What is the NIST CSF framework core?
The framework core is a set of recommended activities designed to achieve certain cybersecurity outcomes and serves as guidance, not a checklist. The framework core is composed of functions that work together to achieve the outcomes mentioned above. These elements are:
- Identify
- Protect
- Detect
- Respond
- Recover
The challenges of implementing NIST CSF
One of the biggest challenges in implementing NIST CSF is the very nature of the framework itself — which is that the framework is that the scope of the implementation is voluntary. This means that organizations can technically opt to implement only some of the framework, or even half-heartedly in the worst-case scenario.
Another challenge of implementing NIST CSF is that the framework itself is not one-size-fits-all. This means that what would work regarding implementation for one organization may not work for others.
A relatively recent survey has determined that some of the key challenges organizations face regarding implementation are automation and staffing challenges. The survey revealed that over 50% of organizations have a cybersecurity program that is less than 25% automated, with less than 10% reporting more than 75% automation. Around 50% say their cybersecurity program is understaffed and around 100% believe the scope of their role will grow over time.
In another study conducted by the Government Accountability Office (GAO) in 2018, organizations reported challenges associated with implementation. The four major challenges were:
- Limited resources available to commit to implementation
- Lack of knowledge and skills necessary to successfully implementing NIST CSF
- Pre-existing regulatory and other industry-related requirements inhibit implementation
- Other organization-related priorities taking precedence over NIST CSF adoption and implementation
As you can see, implementing NIST CSF is not without its challenges. With that said, these challenges should not make implementing the framework prohibitively impossible — although it may take some adjusting for an organization that is faced with these challenges.
Best practices
While best practices are baked into the framework core, the following are some proactive best practices you can take to help deal with these challenges.
Understand your organization
To help deal with the challenges above, an organization needs to fully understand its needs and how the framework can fit the organization first and foremost. This requires a close examination of an organization’s unique needs as well as an understanding that the open-endedness was intended to help the framework fit as many organizations as possible.
Every organization faces different threats, vulnerabilities and risk tolerances and NIST CSF is designed to account for these unique challenges by virtue of its open-endedness.
Automate!
Automation increases an organization’s ability to respond to threats as well as to confidently report to their Board about their cybersecurity posture and provides an overall strong cybersecurity foundation.
A commonly-reported challenge by organizations that have implemented NIST CSF is the challenge of establishing an automated risk and compliance program and many still rely mostly on manual processes. In fact, it is worth stating again that over 50% of organizations in a recent study indicated that their NIST CSF implementation is less than 25% automated. Organizations that automate as many NIST CSF processes as possible will experience a more efficient implementation.
Prioritization
Another commonly-recurring theme in the challenges is that many organizations do not give their implementation of the framework the proper prioritization it deserves. This manifests as a lack of necessary resources allocated toward it, leading to an ineffective implementation.
It rests on the shoulders of IT and information security leadership to communicate to VIPs in the organization just how important NIST CSF can be to your organization in these situations. If you are in these shoes, double down on making your voice heard by organization leadership and you will have a better chance of having your implementation receive the resources it deserves.
Sometimes organizations forgo giving prioritization to NIST CSF because other organization-related priorities are deemed more important. In this case, you should communicate more with organization leadership about just how important the framework is to your organization. Even if an immediate reprioritization does not happen, it will keep the idea fresh in their minds, which may develop into giving more priority to the framework.
Talent acquisition
Not having the right talent and knowledge to successfully implement NIST CSF is another common challenge. Organizations should put effort into attracting the right talent that has specialized experience and talent related to NIST CSF implementation. This can be from traditional job postings or even from plucking talent from other organizations that have had success with implementation.
This talent may also be latent in your organization. You can coax this talent to the surface with contests which award prizes for knowledge that would improve your implementation.
Never stop
The thing with NIST CSF is that you are never done with implementation. Organizations that implement and then step back to passively watch it do its thing find their implementation will lose effectiveness over time, which may lead to abandonment. Nip this tendency in the bud and make sure you are always engaged in developing and improving your unique flavor of framework implementation.
Conclusion
NIST CSF is a voluntary cybersecurity framework that more and more organizations are adopting and implementing. With all the good it brings, there are definitely challenges in implementing it. By following the best practices explored above, your implementation can overcome these challenges and become an ever-improving example for other organizations to follow.
Sources
- Framework for Improving Critical Infrastructure Cybersecurity, NIST
- Turn the NIST Cybersecurity Framework into Reality: 5 Steps, DarkReading
- Encouraging NIST CSF Adoption with Automation, Telos
- New Rsam Study Identifies Top Road Blocks to NIST CSF Implementation, Globe News Wire
- GAO Reports Challenges and Successes in Cybersecurity Framework Adoption, Van Ness Feldman