An invaluable roadmap for InfoSec management
Cybercrime does not differentiate between large, small, private, or public companies. Dispensaries, growers, labs or banks, all cannabis industries need to determine their risk acceptance as they are perceived as an easy target. Many utilize the National Institute of Standards and Technology (NIST) CSF requirements to manage security risks and vulnerabilities which include confidentiality, integrity, and availability of their information and technology assets.
The meteoric rise of cybercrime has caught many organizations unawares. Malware has spread from PCs to smartphones, phishing scams have grown more sophisticated, and ransomware is running rampant.
You can hire hackers and botnets, or buy cybercrime software, complete with technical support, all too easily. The rapidly expanding Internet of Things is woefully insecure, creating many more access points that can be exploited by hackers.
In the face of this growing threat, we need to find practical strategies that can be employed to mitigate risk and protect our data. One such strategy can be found in a National Institute of Standards and Technology (NIST) document called the Cybersecurity Framework.
The product of extensive collaboration in the security industry, this document is a constantly evolving framework designed to help organizations strengthen their defenses, benefiting the entire community from state governments to banks to retail chains and beyond. It’s a comprehensive, flexible guide that presents important principles to help you build the necessary culture to stay ahead in the race against cybercriminals.
“The NIST Cybersecurity Framework should be the cornerstone of your cybersecurity strategy,” says George Wrenn, CEO of CyberSaint Security. “It’s time to run cybersecurity as a business function with clear goals and measures based on a national framework. You want the ability to communicate your posture to all your constituents.”
Establishing common standards
Because everything is interconnected, the architects recognized the need for a collaborative and holistic approach that’s inclusive. The framework provides a common, accessible set of reference points for everyone from InfoSec professionals to executives across industries, helping to strengthen their cybersecurity strategies, not just individually, but also collectively.
NIST’s framework ensures that everyone is speaking the same language, making it easier to share and discuss tactics, and to plan, deploy, and improve cybersecurity strategies.
Whether you’re establishing a cybersecurity program, or you simply want to strengthen what you already have in place, NIST’s framework can help. By following it, organizations can get a clear view of the current state of their cybersecurity, they can establish targets, identify potential improvements, assess progress accurately, and communicate about cybersecurity risks both internally and externally.
Adoption reached 30% within two years, according to Gartner, and that’s expected to rise to 50% by 2020. Broad adoption furthers everyone’s understanding and fosters the creation of automated tools and processes to help companies quickly and effectively prove due diligence and compliance through their cybersecurity strategy.
Measuring your evolution
Just as cybercriminals evolve and develop new tactics to uncover fresh vectors of attack, our cybersecurity defenses should be agile and constantly improving. The framework is a risk-based approach that’s broken down into three parts. The depth of detail contained within is beyond the scope of this article, but here’s a brief overview:
The Framework Core focuses on five functions: Identify, Protect, Detect, Respond, and Recover. They can be adapted for any organization or situation. They’re not intended as a path to follow, but rather as a concurrent and continuous set of functions that can deliver a big picture view of the health of your cybersecurity strategy.
The Framework Implementation Tiers help organizations to characterize their practices. There are four tiers and selection requires careful consideration of risk management tactics, likely threats, legal and regulatory requirements, organizational constraints, and, of course, business goals. The idea is to help organizations to progress from informal, reactive responses to threats, and help them become agile and risk-informed.
The Framework Profile empowers organizations to identify opportunities for improvement by revealing the gaps between their current strategy and their target state. It can be configured to encompass security goals and priorities, tempered with business needs and cost-effectiveness.
Ultimately, the framework is flexible enough to cater for any industry, providing an effective way to establish a baseline, set goals for improvement, and continuously assess progress.
But there’s also recognition that the goalposts are constantly moving. Rather than setting a course for an endpoint, we need to continually ask the right questions and define strategies that adapt to meet perpetually changing threats. By being proactive in our risk management, we can stay one step ahead of the cybercriminals.