NIST Cybersecurity Framework
Blog posts to widen, deepen and apply NIST in your business
The NIST Cybersecurity Framework provides any-size organization with an approach to help organizations assess current capabilities and prioritize needs and determine the best path for organization-wide security.– Patrick von Schlag NIST Program Consultant
ISSA hosted talk: Using the NIST Cybersecurity Framework to Align your Organization’s Risk Management Practices
Last month ISSA hosted Patrick von Schlag for a talk on Organizational Risk Management. There were difficulties with the sound and Patrick recorded this version for those who were unable to follow the original talk. You are invited to listen to the recorded session on ISSA’s website Using the NIST Cybersecurity Framework to Align your […]
Learning about NIST
The NIST Cybersecurity Framework provides a structure that will help organizations of all sizes and maturity levels to identify and prioritize their cybersecurity investments. It translates very technical security activities and practice areas into consumable business language suitable for meaningful discussions with all stakeholders from senior business leaders about optimizing risk to help desk employees around password security and 2-factor authentication AND allows IT to track their own adaptations and on-going responses to existing and evolving threats.
NIST provides the necessary approach to establish a security beachhead, drive optimization and improvement, and provide an effective roadmap for implementation activities.
Everyone is working hard, but with no visibility into the overall structure, with holes knows only piecemeal, how safe is the system? The experience of several large IT organizations like Target and Home Depot has taught us that compliance-centered approaches often fail. Deep Creek Center is committed to the NIST framework because we believe it offers our customers the best approach for a pro-active, well-prioritized approach that provides the best return for your company’s IT dollars and resources. Reach out to Deep Creek Center today.
NIST and Digital Transformation
Whether you’re a small- or medium-sized business with a small team of people working on cybersecurity activities or a giant enterprise with dozens or hundreds of security professionals, creating a holistic view of how this supports enterprise objectives will transform the value of your security practices and enable the business to seek and benefit from new digital business models.
In any digital transformation, the threat landscape increases exponentially. Without a rigorous security program that aligns and can adapt as the business adapts, the risks may push the business over a cliff. In short, an organization can’t have digital transformation and all of the concomitant business benefits without a strong, well-aligned security program. Cybersecurity risk management needs to become a core, mission-critical organizational capability in order to survive in this dynamic.
NIST’s approach to cybersecurity is tool-agnostic and can be used with any number of Informative References, including the CIS 20 controls, ISO 27001/2, PCI-DSS, and many others. NIST’s Tier approach very intentionally is not a maturity model (unlike DoD’s CMMC), but instead focuses on three bigger organizational risk management factors: the use of a rigorous risk management process, alignment with an organization’s overall risk management program, and the ability to extend its capabilities into its supplier/partner channels. This creates a much more useful model to profile as-is and to-be needs (Profiles) that emphasizes cyber risk as an overall part of the organization’s risk management activities, and drives alignment between IT and security teams and business stakeholders including the CFO, corporate risk, audit, and eventually all the way to the Board of Directors.
NIST Cybersecurity Professional certifications
Each of the NIST programs has a different professional audience. Everyone takes the NIST Foundation program introducing the framework to key business stakeholders (C-levels, risk managers, lines of business heads, and even Board members) and IT security and operations teams. The NIST Practitioner (CIS 20 Security Controls, the CMMC maturity model, Threat Actors, Control architecture and Framework Adoption) goes beyond the basic terminology and understanding to provide a top to bottom and bottom to top understanding of security threats and resources providing the skills needed for the organization to work as a whole to prioritize and fund cyber-security operations and initiatives.
NIST Foundation is a program for anyone from key business stakeholders (C-levels, risk managers, lines of business heads, and even Board members) to IT security and operations teams responsible for establishing and managing security controls. It covers the framework’s key components, including
- Functions, Categories (practice areas), and Subcategories (practice outcomes)
- Implementation Tiers (risk management process, integration into overall Organizational Risk Management, and extensibility into Supplier/Partner Channels)
- Profiles (Current as-is and Target future)
NIST Practitioner builds on the Foundation by introducing a series of Informative References for a more detailed “how-to” look at implementing the security controls. Based on the CIS 20 Security Controls, the Practitioner program reviews Threat Actors, Control architecture and activities, adoption and adaptation of the Framework, using agile approaches to drive a culture of continuous improvement, and alignment with the emerging CMMC maturity model.
Many critical infrastructure sector companies struggle with their adoption and use of the Framework due to its size and scope. The Practitioner program helps introduce a consumable roadmap to help organizations prioritize their investments and focus areas while helping to better align cyber risk practices with overall organizational risk.
“I was well prepared and passed the NCSP Boot Camp exam on the first try. The instructor, Patrick von Schlag did a great job in presenting the materials and connecting it back to real-world examples."–Nag H. Kosuru, Senior Principal Consultant, Financial Services technology Risk Management LinkedIn Nag Kosuru
NIST Cybersecurity consulting
Implementing NIST’s Cyber Security Framework can be a daunting task for organizations of any size. Whether there is one person responsible for rolling up the security for the company or multiple departments each with its own gaps and security needs, a set of outside eyes and skill sets can supplement the professionals on your own teams. Deep Creek’s consultants bring years of experience and a belief that your own employees know your company best.
Our job is to support and suggest, not dictate or bury you in consultant-speak (at Deep Creek we call it con-splain.) Large organizations can use someone outside of the traditional structure to jump across silos and help define the different needs of disparate business groups. A small organization might need to prioritize limited resources and temporarily supplement a smaller IT staff’s security expertise. The process of bringing organizational security needs to the CEO and Board requires a different set of presentation skills and language choices. Deep Creek’s consultants can help there as well by supporting IT staff with the business risk-management disciplines to explain complex security risks clearly to non-IT business stakeholders.
Join our NIST mentoring community
It can help to share problems, ideas and engage with a global community of other professionals who are implementing the same framework you are. Deep Creek Center is proud to provide a free forum for trained professionals implementing the NIST Cybersecurity Framework. Membership for you and members of your team is completely free. Join and post your questions, share interesting articles, or just check out what other people are saying and thinking as they manage their security challenges.