Cybersecurity around the globe depends on incredibly important infrastructure and cybersecurity threats have been a constant issue that can be lethal because it can destabilize important aspects of a nation such as a Nation’s security, critical procedures, sensitive information, the health of citizens, and so much more. In the United States, The Cybersecurity Enhancement Act of 20141 (CEA) updated the duty of The National Institute of Standards and Technology (NIST) to broaden it’s coverage to include identifying, developing, and enhancing cybersecurity risk frameworks. These procedures are not necessary, but voluntary and the outcome is to have the NIST innovate the approach to include being adaptable, performance-based, reproduced easily, and include accessibility to information security measures so that they may be able to be used by those who operate critical infrastructure.
The Cybersecurity Framework (CSF) is a document that organizations that are well-funded or even non-profit may utilize due to its flexibility. For example, a well-funded organization may already have their security measures in place, but it would not hurt for them to use the NIST Cybersecurity Framework to cover all their bases and ensure they are within the basic compliances and integrate it into more advanced systems. Another example would be a non-profit organization that does not have access to the same amount of resources as the well-funded organization, and therefore the non-profit is able to utilize the CSF to ensure that their security measures are more than adequate without needing to add complex or redundant controls.
The five core functions: Identity, Protect, Detect, Respond, and Recover, give these organizations a voluntary yet invaluable option to analyze, adapt, and apply cybersecurity measures that cover down to the smallest concern that may be overlooked. The way these functions are broken down make it simpler to digest and implement. The use of “Implementation Tiers” is helpful as well because organizations can see how their standards for risk management practices are without including an external entity auditing, judging, or critiquing them.
The NIST Cybersecurity Framework is more than reference guide document, it is a blueprint for calculated and driven cybersecurity management. In my future workplace, which will be either the United States government or if I move overseas, an international government, I would highly suggest the use of the NIST CSF as a baseline to ensure that we are meeting the basic requirements and standards for a successful security strategy that will be improved upon. Initially, I would start by conducting an analysis to see which security measures are already being met. After seeing the areas that are not being met, I would create a profile on where the workplace is aiming to be, the necessities, and a threat landscape. From the analysis to the profile I created, I would then develop a strategic action plan to streamline the security processes, close the gaps that are not being met, and make it easier to monitor the progress and improved accessibility to check on the progress. By streamlining this it would foster a solid foundation for cross-team collaboration which would then increase stakeholder trust.