---

From your readings of pages 1 – 21 of the NIST Cybersecurity Framework, what benefit can organizations gain from using this framework, and how would you use it at your future workplace?

Organizations can use this framework as a supplement to their own to help them improve risk management by identifying, assessing, and managing cyber risks more effectively. Which encourages a consistent, repeatable process that can adapt to new threats based on organizational needs. Companies can customize the framework with four different tiers, each one increasing in severity of risk management. This allows them to tailor the framework to their specific needs based on cost, threat levels, and business goals. External participation is a key component of the framework, allowing information about risks to be actively shared with partners as threats evolve, allowing other companies to stay proactive and increase their measures before an attack occurs.

I would use this framework to identify any gaps my company might have in its current process by assessing our priorities and risk tolerances. The use of external guidance from federal government departments and agencies and information sharing and analysis organizations would help determine an appropriate implementation tier for my company’s needs, whether that is tier 1 or tier 4. I would recommend a tier 3 selection based on the adaptability to changes in risk and the consistent monitoring of the cyber risks to assets. I would need to figure out what measures we already have in place and what is still missing so I know a starting place. Then perform a risk assessment of our previous activities, including those of our partners, to determine how likely an attack would be and what damage it could cause. I would then set up a target profile based on previous threats and threats likely to occur by comparing the current profile against our target profile to see if there are any gaps that need to be addressed.