A recipe for cybersecurity – Talk Business & Politics
Imagine you’re hosting a dinner party for friends. You go to the grocery store to purchase the needed supplies but forget an essential step —checking the expiration dates. You mistakenly prepare the recipe with expired produce or meat well past its prime. One bad bite in, you realize your error and must chalk up the dish — and the hours and money you spent on it — as a total loss. While no dinner party, our digital systems could suffer the same stomach-turning fate if we don’t adequately develop, implement or manage our cybersecurity strategy.
Think of our cybersecurity practices and processes like a recipe. One misstep, like not vetting a compromised vendor’s software, can be like mixing in a spoiled ingredient. But instead of just throwing it in the trash, we’re left to deal with a much worse and more expensive consequence — a potential breach or attack. The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) 2.0 is designed to help companies of all sizes and industries avoid these miscalculations. So, what do businesses need to know about NIST CSF 2.0 before they step into the metaphorical kitchen?
First, companies must understand the context behind the CSF. In 2014, NIST unveiled the first Cybersecurity Framework, followed four years later by version 1.1, to provide entities with an easy-to-follow guide to kickstart or strengthen their cybersecurity risk management strategy. Until recently, the CSF included five interdependent functions in its model: identify, protect, detect, respond and recover. In the face of ever-evolving threats— including attacks initiated through third parties like vendors — NIST recognized that organizations needed a new framework with refined and expanded cybersecurity best practices.
Enter CSF 2.0, which includes a sixth function — govern — that “emphasizes that cybersecurity is a major source of enterprise risk” akin to finance and reputation. In other words, companies should now view cybersecurity as an essential business function. The framework underscores that entities should have a designated point person or team responsible for overseeing and managing their cybersecurity practices, preferably with the support of a trained cybersecurity professional.
Take the expanded subsections specifically tailored to supply chains as an example. Third-party compromises have spiked over the past several years, impacting small and large businesses. The govern function is focused on helping companies implement a “systematic process for managing exposure to cybersecurity risk throughout supply chains and [develop] appropriate response strategies, policies, processes and procedures. With proper due diligence, businesses can more confidently enter and manage third-party relationships.
Despite the additions to CSF 2.0, the intent behind the framework remains the same. As NIST said, “These functions are not intended to form a serial path or lead to a static desired end.” Instead, they should be “performed concurrently and continuously to form an operational culture that addresses dynamic security risk.”
CSF isn’t a strict recipe, nor does it bill itself as one. Ingredients (i.e., best practices) can be eliminated or swapped out. You don’t want to include ground beef in your dish? Sub in a vegetarian alternative. Businesses don’t have to enact the framework’s protocols exactly or overnight. It’s a process that must marinate.
The bottom line is that CSF 2.0 is the starting point. Organizations should gather, tailor and implement best practices from the framework that address their vulnerabilities and align with their risk appetite, operational requirements and priorities. By continuously improving their cybersecurity posture with CSF 2.0, businesses will achieve greater risk management and resiliency.
Chris Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm that provides tailored cybersecurity, IT and security compliance services. The opinions expressed are those of the author.