Jump to content
Sign in to follow this  

Why (another) Cybersecurity Framework?

Recommended Posts

I think I have heard this question a dozen times over the past month. Enough times, to write about it and explain what value the NIST Cybersecurity Framework is bringing to the security of the whole Nation.


As usual in life, there is not one way to implement a solution but many (i.e. "A thousand roads lead men forever to Rome"). That is also true for Security frameworks. There is no shortage of frameworks, with most of them being industry specific. So, how does the NIST Cybersecurity framework fit in? It actually is not intended to compete with any of the existing frameworks. It actually is intended to help at a Macro Security level, addressing risks due to gaps that exists when organizations with different frameworks interact with each other (B2B). It provides organizations with mappings between some of the major frameworks (See Appendix A). It allows companies to establish a framework profile and tiers that can be used to evaluate the security maturity of an organization in two dimensions. One being the categories and subcategories - what is missing, what are we already doing? The other being the tiers - showing the maturity of an organization's risk and security practices. 


For organizations that are at the beginning of implementing security and risk practices the NIST Cybersecurity Framework provides them with "Core" areas that are considered common across all sectors of Critical Infrastructure. This allows organizations to focus their (limited) resources on those areas that help build a life cycle for security functions. Getting a life cycle in place is critical to achieving risk mitigation and creates a foundation for risk mitigation activities.


In my opinion, and I might be biased since I worked on the NIST Cybersecurity Framework, the framework is a great tool and the first step in addressing the need for security at a national level. I would encourage everyone to take a look at it and do their own interpretation of what actions an implementation of the NIST Cybersecurity Framework translates to with their organization. In a global economy security cannot be achieved locally - it is a joined effort at a national level.

Share this post

Link to post
Share on other sites
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this