Information security has become a top shelf issue for many organizations, and needs to be with every business. According to Gartner, by 2020, over 50% of organizations will utilize the NIST Cybersecurity Framework (CSF), rising from 30% in 2015. This is a good trend, but probably not as fast as it should be considering that 60% of businesses are shuttered within six months following a cyber attack. NIST has provided an excellent framework to give organizations a sound, systematic and accessible approach to address this critical topic. If you have not already adopted the CSF, your journey should start today!
The “Adoption or Bust” title may seem odd since the “or Bust” exclamation was traditionally used for road trips, but it is applicable when discussing adoption of the NIST Cybersecurity Framework since it really is a journey as well. There is also a play on words in that if you don’t adopt the CSF, chances are your company will “go bust” following a cyber attack! However, unlike a traditional road trip, this adventure is more about the journey than the destination. In fact, the CSF is far more focused on the process of addressing information security through a risk based approach than it is a list of security do’s and don’ts or settings and controls that should be enforced.
So what exactly is the NIST CSF and why do you need to adopt it? From its first version inception, the CSF sought to embody a voluntary risk-based framework of cyber security guidelines based on industry standards and best practices to help organizations manage cyber risks, regardless of their size or information security skill level. It is important to note that even though the CSF is a result of government and private sector collaboration, it is not a regulatory requirement. It does not seek to impose mandatory controls that add cost and complexity to businesses, but rather is focused on cost-effective ways an organization can apply risk management principles to improve their information security posture and shore up resilience of critical infrastructure. It is also important to note that it is a living document, with changes and updates being made to keep current with the changes in information security over time.
Even if you are obligated to adhere to a certain regulatory standard, you need to adopt the NIST CSF for three key reasons;
- Information Security is no longer optional, and you need an organized, comprehensive plan to follow to address risk or you will miss elements.
- The NIST CSF provides a common security language that is in use by service providers and consulting firms. You need to understand the language to remain relevant in the conversation.
- While it is not a regulatory checklist or certification to be pursued, it is a way of doing business that tells vendors and business partners that you are serious about protecting your business, as well as theirs if they enter a partnership or trusted relationship with you.
You will never see a badge on company letterhead or a homepage that says “NIST Cybersecurity Framework Certified”. But you will be able to recognize an organization that has adopted the CSF and is serious about protecting their business by managing information security risk. Making the decision to adopt the CSF can be done immediately, but adopting and embracing it will be a journey that will take time. But better to start the journey today than to wait and risk being a cyber crime victim and potentially “going bust”!