Security leaders talk aspirations and challenges around NIST
First published in 2014, the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) encompasses a set of voluntary cybersecurity risk management tools and practices to be used by the private and public sector. Its goal is to provide a “cost-effective means for critical infrastructure to identify, assess and manage cybersecurity risk.”
Recently, I spoke with a diverse and engaged group of information security leaders at a Fraud & Prevention Summit in NYC about the NIST CSF. Attendees came from a range of industries including financial services, healthcare, legal and government. The conversation revealed common challenges and hopes around how NIST CSF can help improve an organization’s security posture.
During the conversation, attendees expressed challenges around practical use of the framework. Some said the length and depth of the NIST CSF was daunting. Others said it exposed their organization’s gaps between security and other business functions.
NIST CSF as a Framework for Managing Vendor Risk
Third party (typically vendor) risk management is one area specifically referenced in the NIST Roadmap, a companion document to the Framework. When it comes to managing vendor risk, participants reflected a range of maturity levels in their approach – from internal audits to leveraging Shared Assessment’s SIG model.
The consensus was that the NIST CSF can be useful in addressing their concerns. Nearly all participants described their frustration with vendor risk management. Organizations are currently dealing with an exploding volume of vendors to monitor.
One organization only inspects 110 of their most strategic vendors, out of 11,000 total vendors (1 percent coverage).
In addition, participants expressed hope that the framework would be matched with training to help improve expertise across the ecosystem. For example, they noted that auditors need to know the right questions to ask and how to interpret the answers, in order to truly measure things like a vendor’s readiness before, during and after a breach/attack.
Finally, the group said they hoped implementing NIST CSF would provide them with the following benefits:
- Greater awareness of risk
- Executive support for security initiatives
- Faster, better incident response and management
- Highlight areas that need improvement with a clear roadmap to target level of maturity
As of 2016, the NIST CSF was used by 30 percent of U.S. organizations, and that number is projected to reach 50 percent by 2020. It is clear that organizations are thinking deeply about how to best leverage this framework within their organizations, and have high hopes for the benefits that broader adopt of it may bring.