March 12, 2014 By Pierre Gourdon 2 min read

Corporate and government leaders have been putting an increasing focus on the risks to our critical infrastructure by cyber-attacks. Industrial controls, once thought to be immune to these internet borne threats, are now clearly in the cross-hairs of new types of malware.

Responding to this growing risk, in 2013 the White House issued an executive order for a cybersecurity framework (CSF) to be created by the National Institute of Standards and Technology (NIST), providing guidance to organizations with critical infrastructure to help them manage cybersecurity risk. On February 12th 2014, Version 1.0 of the NIST Framework was released following months of drafting and comment involving both the public and private sector.  IBM was a significant contributor to this effort.

The NIST CSF framework provides guidelines, but it is not prescriptive. It does not tell you how to make the organization’s controls secure.  To do that, an organization needs to translate the guidelines into an actionable security program.

Four tips to a 5-star security program

Here are four points to consider:

  1. Establish your business objectives and set priorities for securing your critical infrastructure. Consider your business objectives and your level of risk tolerance based on the unique needs of your organization. Step inside the shoes of a cyber-attacker and take a look at your company’s information and business critical systems from their point of view, asking how an attacker could do the most damage.
  2. Assess your current readiness for a sophisticated attack. The threat model is evolving and your organization must ensure that it has the resources and tools necessary to identify and stop an attack, determine what was compromised, and begin the remediation process. Leverage the NIST framework to ensure that you are taking a holistic view in assessing your capabilities.
  3. Develop a proactive security plan to protect your organization that aligns to your business objectives. Identify how you can collect and leverage security intelligence to enhance your readiness and responsiveness.  Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway.
  4. Make sure your security program has clearly defined ownership and leadership assigned across critical business areas. Rapid response is critical when an incident occurs and having in place an effective governance structure with well-defined communication processes will help to minimize the potential damage.

Taking this journey is more effective if you have a knowledgeable guide.

To use an analogy: the NIST CSF is like a cookbook that provides the recipe, the ingredients and general instructions on how to assemble the ingredients, but it takes the talents of a chef to interpret the recipe, adjust the proportions and spices, and turn it into an excellent meal.

We are here to help you leverage the Cybersecurity Framework (CSF) to baseline your current security program, identify gaps, prioritize security investments, and develop an actionable roadmap to improve your security maturity.

I hope these tips will help you create a “5 Star” security operation based on the NIST CSF. Are there any other tips I missed? Let me know in the comments below.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today