The NIST Cybersecurity Framework allows organizations to pick which parts they believe to be beneficial and incorporate them into the security programs. Organizations benefit from the framework in a variety of ways, from being able to assess their current state, being able to plan out where they would like to be, and being able to see the gaps in between that need improvement. This framework can also help assess their improvement since the processes are repeatable.
Many organizations already have security programs in place, but the NIST Cybersecurity Framework is meant to work alongside the current program and help show its weaknesses as well as where and how they can be improved. This framework has five functions that can be applied to help strengthen their security. The functions are to identify, protect, detect, respond, and recover. Using these functions an org can not only discover what some weaknesses are and how to react to them, but these functions also incorporate how to recover as well, which helps organizations plan for “in case” disasters which can also help reduce how long their networks or services might be down for. Framework profiles are also extremely beneficial to organizations. They allow organizations to create current profiles which assess how they current are and create a target profile that is ideally where they would like their security posture to be. These profiles make it easy for internal and external stakeholders to understand the current positions as well as the desired end goal. Organizations can compare the two profiles to see where there are gaps and make decisions on how to improve those gaps. This also allows organizations to see opportunities where they can improve their security posture that may have been overlooked before or possibly an area that was being given more funding and priority than what it actually needed.
I would personally use many parts of this framework to help assess and improve my future workplace. I would use this framework to create profiles to help understand the weaknesses as well as strengths within my workplace to be able to decide what needs to be improved. I would also use this framework because it uses a common language to communicate the requirements which allow everyone to understand the current posture as well as the desired one and the plan to get there. If I were to establish a new cybersecurity program or want to analyze a current one, I would also use this framework to do so.