One of the areas that the National Institute of Standards and Technology or NIST is concentrating on is cybersecurity. As regular readers of this blog will know, cybersecurity incidents are at an all-time high. Last year, secretary of state, John Kerry, even described the security situation as being, “pretty much the wild west…so to speak”. It is within the context of this overbearing security incident landscape that the NIST Cybersecurity Framework has come into being.
Why Even Have A Framework for Cyber-Security?
You may well ask, why have an overarching framework for handling security issues, why can’t I just work it out myself as I need to? A framework is a positive and helpful reference system. Frameworks develop out of experience and knowledge of a given situation. You could apply the principles of a framework to pretty much any situation. For example, you could have a framework which expands upon the types of policies needed for a specific healthcare service, or one for a public transport system, and so on.
The cyber-security framework that NIST has developed is in a similar vein. It has been built upon the experience and knowledge of many organizations and individuals who have worked in the area of security. This collective expertise is used to create guidance on how to recognize, manage and mitigate cybersecurity risks.
Having an expert system, like a framework, is particularly useful for creating strategy and policy around cybersecurity threats. The framework was put together using the aggregated wisdom of over 3000 security professionals. It gives you the foundation stone to create your own internal targets and plans that you can use to build a more secure organization. It means you can use already tried and tested protocols and procedures, without having to reinvent the wheel. In other words, it is a way to use security collaboration for the benefit of all.
Having an established set of guidelines for developing your own Cybersecurity program is recognized by many experts as now essential. PWC in their report on “Why you should adopt the NIST Cybersecurity framework” has stated that,
“It is our opinion that the NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards.”PWC
What are the NIST Cybersecurity Framework Basic Functions?
The NIST Cybersecurity framework has a core, which is built upon five basic functions:
Each looks at different aspects of a Cybersecurity threat/attack lifecycle and how best to handle it. They follow a logical progression and build upon each preceding function. I’ll concentrate here on the first one, identity.
The definition of ‘identity is this:
“An understanding of how to manage Cybersecurity risks to systems, assets, data, and capabilities”
This is the most basic and fundamental of all of the NIST Cybersecurity functions and as such, it is the most important. Identify is all about identification – understanding what your critical assets are and understanding where the risks lie. Assets are wide and varied and literally, anything that can be breached or damaged is an asset. This includes intellectual property, customers’ data, proprietary information and also physical assets. This whole area is becoming increasingly complex as we expand our networks outwards into the Cloud and even more so as we enter the era of the Internet of Things (IoT).
Identify is all about governance too. Our perimeters are becoming more fluid and fuzzy as they expand outwards and cross over the supply chain itself. In fact, the supply chain is one of the areas that can stand to benefit most from the use of the Identify function within the NIST Cybersecurity framework. Many organizations are now asking suppliers to provide a Framework profile, or providing their own template to suppliers, which sets out how the supplier approaches security and their own internal processes and procedures that fit in with the NIST philosophy. This forms the basis of their risk management strategy, again a fundamental of the Identify function.
The Identify stage of the NIST framework is the vital first step in understanding how to approach Cybersecurity risk mitigation. This step is the pivot upon which the other four functions work. Without having full sight of the various aspects of your business, across your expanded data universe for your own organization and any associated companies, you can’t hope to build a holistic and effective Cybersecurity management plan.
Making NIST and the Identify Function Work for Us
The NIST Cybersecurity Framework has been designed by collaboration with security professionals, who have gone through the pain of creating a solid Cybersecurity strategy. We can all benefit from using their collective wisdom and following their recommendations. The first foot on the road to a solid Cybersecurity program is to know your enemy and their actions. Performing the Identify function is that first step on the road to a more secure organization.
There are many places you can get further information on applying the NIST cybersecurity framework principles. However, there is a book I can highly recommend, by Adam Anderson and Tom Gilkeson, “Small Business Cybersecurity”, that will help ease the complexity out of the equation and explain in simple terms how to utilize the NIST Cybersecurity framework and the Identify function. The book was written specifically to advise small to medium-sized company security professional on how to communicate the latest tools and techniques in security to C level executives and is a great reference guide.