The NIST Cybersecurity Framework has many great benefits in the way of scalability, accessibility and deliverance. It can be implemented as a cybersecurity guidance and policy tool in any size organization. The concepts presented do not target any specific size or type of company. Additionally, it is formatted so that it can be easily followed. I do not condone organizations with no cybersecurity professionals, however, this framework can be understood and followed by a basic IT team. Again, I do not believe it is a good idea to go without any cybersecurity specialist, but that gives an idea of just how easy it is to follow NIST guidelines and utilize this framework. In a similar way, there is a simplicity in delivering the information to the rest of the organization (outside of IT). This framework can be used for backing and explaining the need for cybersecurity training and organization-wide action when necessary.

Section 2.2 of the Cybersecurity Framework makes it quite easy for organizations to determine their current security posture. The 4 tier approach allows for companies to consider a small spectrum opposed to a “have it or you don’t”. Additionally, section 3.2 Establishing or Improving a Cybersecurity Program lays out step by step guidance for continuing after determining the current security posture. This makes life easier on the organization since they will not need to work on improving without guidance of how to do so.

Personally, I like the section 3.2 discussed above and 3.3 Communicating Cybersecurity Requirements with Stakeholders. I would emphasize these sections on a quarterly basis. The steps will be taken as they are presented and something will be done on each step. It might be a detailed write-up on how our current posture fulfills the requirement or implementation of new solutions along with a write-up on what was changed. Section 3.3 would be gone over quarterly as a reminder. I think expressing the importance of cybersecurity to people who may not be involved in or understand cybersecurity can be difficult. This section will help remind me and my team how we can bridge the concerns to stakeholders who might not understand the need. As for the rest of the framework, I would revisit the entire document annually. So, one of the quarterly reviews will involve a more in depth walk through of the document from top to bottom. This will ensure we are still on track with the concepts outside of 3.2 and 3.3 and any new employees will have the chance to work through the entire document with us.