Will NIST CSF v2.0 Move the Dial on Cybersecurity?

Will NIST CSF v2.0 Move the Dial on Cybersecurity?

Will NIST CSF v2.0 move the dial on cybersecurity?

NIST has released v2.0 of its popular Cyber Security Framework (CSF). The framework, which is widely used in the US and around the world, has been updated and extended in several areas, including:

  • The target audience has been expanded from those in critical national infrastructure to all organizations across all industry sectors, from the smallest schools and nonprofits to the largest agencies and corporations.
  • A suite of additional resources has been created, including ‘quick start guides’, implementation examples, and mappings to other cybersecurity frameworks and documents.
  • A new focus on governance emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

With the addition of ‘Govern’, there are now 6 core functions that aim to organize cyber security.

NIST CSF Core Functions

Each NIST CSF function is divided into categories, which are related cybersecurity outcomes that collectively comprise the function. Subcategories further divide each category into more specific outcomes of technical and management activities.

There have been additions, removals, and reorganizations of categories and sub-categories in v2.0.

The new Govern function has 6 categories, each with several sub-categories:

CSF v2.0 Categories of the New Govern Function

Organizational Context

The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood

Risk Management Strategy

The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

Roles, Responsibilities and Authorities

Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated

Policy

Organizational cybersecurity policy is established, communicated, and enforced

Oversight

Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

Cybersecurity Supply Chain Risk Management

Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

The new Govern function is significant, and in recognising cybersecurity as a material business risk, it aims to integrate cybersecurity with broader enterprise risk management (ERM), including the definition of roles and responsibilities and better communication of cybersecurity risk to executives.

The question remains, however: with Cybersecurity Ventures predicting that cybercrime will cost the world $9.5 trillion in 2024, will v2.0 move the dial on cybersecurity? [1]

At Acuity Risk Management, our take is that v2.0 will help – in particular, the introduction of the Govern function raises cybersecurity up the executive agenda, which will connect cybersecurity with decision-makers and enable a more holistic and less siloed approach.

However, NIST CSF v2.0 is, as its name suggests, just a framework, and, in our opinion, two further actions are required to implement v2.0 in a way that stands a chance of halting and perhaps even reversing cybercrime losses. The first of these is implementing the CSF within the wrapper of a ‘risk-based management system’, and the second is independent assurance.

A risk-based management system

Even with the new Govern function, NIST CSF v2.0 is still fundamentally an outcomes-based checklist that builds a security program against a target profile. By definition, such programs are slow and, at least while they are being implemented, fairly unreactive to change.

Cybersecurity risk has some characteristics that add complexity compared to other Enterprise risks, in particular the opacity of cyber threat actors, the multiple potential attack vectors and asset vulnerabilities, the reliance on secure user behaviour, and the fast-changing nature of business and technology.

In response to this, effective cybersecurity requires a set of integrated operational processes, collectively referred to as an information or cybersecurity management system, the key processes of which are:

  • Management reviews and reporting
  • Identifying and tracking threats to assets
  • Assessing cybersecurity threats and mitigations and determining whether risks are considered to be material
  • Implementing and testing cybersecurity controls with regular monitoring to confirm effectiveness and ensure that risk remains within tolerance or appetite
  • Taking action to address weak or missing controls
  • Responding to and managing incidents, including reporting, learning from incidents, and continuous improvement
  • Developing, communicating, monitoring, and updating cybersecurity policies and procedures appropriate to the company, its business sector, and its risk profile
  • Providing technical assurance, such as penetration testing
  • Managing change
  • Gathering evidence and auditing to demonstrate assurance.

V2.0 has categories and sub-categories covering all of these processes, but they must be implemented within a living, breathing management system where processes are integrated with each other, can react quickly to change, and where management has assurance that they are operating effectively.

Assurance

It is easy to claim compliance with the NIST CSF, but without independent assurance by those who ‘know what good looks like’ it is impossible for executives to have confidence in what they are being told. In its charges against SolarWinds in relation to the SUNBURST cybersecurity incident, the SEC asserted that:

  • SolarWinds and its CISO misleadingly claimed to follow the NIST framework for evaluating cybersecurity practices.
  • In truth, SolarWinds had no policy or practice in place for most of the NIST framework.
  • Misstatements and omissions about cybersecurity practices, including the NIST framework, were material.

Independent assurance can be time-consuming and costly, but, in Acuity’s opinion, it is the only way to drive the behaviours required to deliver effective cybersecurity risk management.

These costs and timescales can be reduced by using (and providing auditors with access to) an effective technology platform, such as STREAM Integrated Risk Manager from Acuity, which centralises data, automates processes, and quantifies risk with on-demand reporting to provide auditors with the evidence they need to assess compliance.

Whitepaper:  From checklist to management system: Getting value from the NIST Cybersecurity Framework and ISO 27001

About Acuity Risk Management

Acuity is a software and services provider for cybersecurity governance, risk management, and compliance. Our award-winning STREAM Integrated Manager SaaS platform is used by organisations worldwide to efficiently achieve, maintain, and demonstrate good cybersecurity practices, including certification to ISO 27001 and compliance with a wide range of other cybersecurity standards, such as the NIST Cybersecurity Framework v2.0.

Please contact us for further information.