{"id":310,"date":"2025-12-08T20:12:08","date_gmt":"2025-12-08T20:12:08","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/andrewcho\/?p=310"},"modified":"2025-12-08T20:12:08","modified_gmt":"2025-12-08T20:12:08","slug":"discussion-board-the-nist-cybersecurity-framework","status":"publish","type":"post","link":"https:\/\/sites.wp.odu.edu\/andrewcho\/2025\/12\/08\/discussion-board-the-nist-cybersecurity-framework\/","title":{"rendered":"Discussion Board: The NIST Cybersecurity Framework"},"content":{"rendered":"\n

The Strategic Value of the NIST Cybersecurity Framework<\/p>\n\n\n\n

After reviewing the introduction and core sections (pp. 1-21) of the NIST Cybersecurity Framework (CSF), it’s clear that its primary benefit is not as a rigid set of technical controls, but as a strategic tool for aligning cybersecurity risk management with business objectives. It provides a common language and a flexible structure that allows organizations of any size or sector to understand, manage, and communicate their cybersecurity risks effectively.<\/p>\n\n\n\n

The key benefits an organization can gain include:<\/p>\n\n\n\n

    \n
  1. Risk-Based Prioritization: The CSF moves the conversation from “we need to secure everything” to “what are our most critical assets and how do we protect them?” By focusing on the Framework Core functions (Identify, Protect, Detect, Respond, Recover), organizations can prioritize investments based on what will most effectively mitigate their biggest risks.<\/li>\n\n\n\n
  2. Improved Communication: The CSF bridges the gap between technical teams, executives, and board members. It provides a standardized taxonomy so that a CISO can explain a security gap or investment need in terms of business impact (e.g., “We need to improve our detect function to reduce our mean time to identify a breach”) rather than using complex technical jargon.<\/li>\n\n\n\n
  3. Flexibility and Adaptability: The framework is not one-size-fits-all. It is designed to be tailored. Organizations can use the Implementation Tiers (pp. 15-17) to assess their current cybersecurity practices and chart a path toward a more rigorous and adaptive risk management program. This allows a small startup and a large financial institution to use the same framework effectively at their respective maturity levels.<\/li>\n\n\n\n
  4. Gap Analysis and Continuous Improvement: The CSF’s profile mechanism (pp. 17-18) is perhaps its most powerful feature. By creating a “Current Profile” and a “Target Profile,” an organization can clearly identify gaps in its cybersecurity posture. This creates a direct, actionable roadmap for improvement, turning abstract security goals into a concrete plan.<\/li>\n<\/ol>\n\n\n\n

    How I Would Use the NIST CSF at my future workplace:<\/p>\n\n\n\n

    In my future role as a cybersecurity professional, I would advocate for using the NIST CSF as the foundational model for our cybersecurity program. Here is a step-by-step approach I would propose:<\/p>\n\n\n\n

      \n
    1. Gain Executive Buy-in: I would first present the framework to leadership, emphasizing its benefits as a business risk tool, not just an IT checklist. I’d explain how it helps fulfill legal\/regulatory obligations, protect brand reputation, and ensure operational resilience.<\/li>\n\n\n\n
    2. Conduct a Collaborative Assessment:\u00a0I would facilitate workshops with key stakeholders from IT, legal, finance, and operations to:\n