Mark Lanterman | March 21, 2024
Since 2014, organizations have turned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework to help guide their cyber-security policies and practices. 1 However, up until recently, the framework was primarily aimed at protecting critical infrastructure; significant changes had to be made to make it a more applicable document for many.
This past February, after an extensively thorough review and much feedback was provided for improvements, NIST released its Cybersecurity Framework 2.0. 2 Its purpose is to provide "a taxonomy of high-level cybersecurity outcomes that can be used by any organization—regardless of its size, sector, or maturity—to better understand, assess, prioritize, and communicate its cybersecurity efforts." 3
Notably however, it does not provide information on what specific measures should be taken, further demonstrating that cyber security is not a "one-size-fits-all" process. The document states that while cyber-security leaders are likely the prime target audience, the framework is also important for those with parts to play in risk management.
Every organization has its own personal risk profile and cyber-security needs, as well as unique goals that will impact how the updated NIST framework can be applied. Long-term challenges may vary, especially given evolving cyber risks; furthermore, organizations of different sizes and within different sectors will undoubtedly have varying degrees of experience with cyber security and technology more generally.
Building on the previous version, the primary functions presented as being critical to building a strong cyber-security program include the following.
Though it's to be expected that each organization will have its own unique approach to these outcomes, all six functions work together and should be addressed on an ongoing basis, continually taking both reactive and proactive practices into account. The "govern" function is a new addition to the framework that impacts how all of the other functions operate. The updated framework also emphasizes the importance of supply chain security. 4
This update follows the March 2023 introduction of the National Cybersecurity Strategy 5 and deepens its holistic approach to national security. Its focus on governance "emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation." 6
In recent years, the potential for damage associated with subpar cyber-security cultures has been made especially evident, though even organizations with strong postures and a "when, not if" mindset are still affected by increasingly sophisticated attacks and an ever-widening attack surface. New technologies, such as artificial intelligence, complicate efforts to remain resilient, and even the most well-rounded policies are not always immune to the vulnerabilities incurred by the "human element" of security.
Organizations, companies, and firms can look at the NIST Cybersecurity Framework 2.0 as a yardstick for measuring the strength of their own cyber-security postures and in setting their future goals. Cyber security is truly a practice, requiring ongoing maintenance and improvement.
Our current technological landscape poses unprecedented challenges for anyone invested in managing risk. Risk managers and cyber-security leaders alike can look to the NIST Framework regardless of where their organizations currently stand in strengthening their security cultures, offering a realistic pathway for every sector to better protect itself against cyber risk.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes