• Tom Cummins

How Can NIST’s Cybersecurity Framework Help Your Business?

Updated: Apr 2

Cyber + Co., No. 2

Business professionals need practical strategies for managing cybersecurity risk.

One leading source for managing this risk the Cybersecurity Framework put forward by the National Institute of Standards and Technology (NIST).

The framework was first finalized in 2014, and is currently undergoing updates. While large organizations have been early adopters, small businesses have lagged behind.

Last month, the Senate unanimously passed a bill requiring NIST to consider small businesses in developing the framework, as well as to disseminate resources for small businesses to help reduce their cybersecurity risk.

Here’s an introduction to the current version of the Cybersecurity Framework.

What is the Cybersecurity Framework?

The Cybersecurity Framework is a consensus guide to managing digital security.

Developed by NIST, it was created with input from thousands of business participants, academics, private citizens, and government representatives.

Comprehensive, flexible, and voluntary, the framework is designed to help organizations reduce their cybersecurity risk. It also provides a common language for understanding, managing, and communicating about cyber risk.

How is the Framework Organized?

The framework is organized into three basic parts: core, implementation tiers, and profile.

The core identifies five steps—the core components—of cybersecurity risk management: identify, protect, detect, respond, recover.

The framework organizes the five core functions into detailed categories and subcategories, connecting each subcategory to specific external standards, guidelines, and best practices.

Establishing a Common Language

Structuring your business’s cybersecurity risk management within a consensus-based set of defined categories and subcategories, linked to specific reference points, lays the foundation for your business to communicate in the common language of cybersecurity.

This shared language makes it easier to discuss cybersecurity risks both internally and externally. It also makes it easier to get a clear view of your business’s current cybersecurity posture, target improvements, and evaluate progress towards those goals.

And, if your business does fall victim to a cyberattack, your having adopted the Cybersecurity Framework may help mitigate your regulatory and litigation exposure.

Measuring Your Progress

The second component of the Cybersecurity Framework is the implementation tiers. They describe how an organization views its cybersecurity risk and the practices that it has in place to manage that risk.

The framework has four implementation tiers, from “partial” (tier 1) through “adaptive” (tier 4). The basic idea is to help organizations mature from informal, reactive programs to agile, intelligent programs.

Finally, the framework profile provides a method for improving an entity’s cybersecurity by comparing its current profile (the “as is” state) with the target profile (the “to be” state).

Further Reading

A full version of the Cybersecurity Framework is available here.

The Ponemon Institute’s “2016 State of Cybersecurity in Small & Medium-Sized Businesses” is available here.

About Cyber + Co.

Cyber + Co. is a periodic review of cybersecurity issues relevant to small businesses.

About the Author

Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.