Corporate and government leaders have been putting an increasing focus on the risks to our critical infrastructure by cyber-attacks. Industrial controls, once thought to be immune to these internet borne threats, are now clearly in the cross-hairs of new types of malware.

Responding to this growing risk, in 2013 the White House issued an executive order for a cybersecurity framework (CSF) to be created by the National Institute of Standards and Technology (NIST), providing guidance to organizations with critical infrastructure to help them manage cybersecurity risk. On February 12th 2014, Version 1.0 of the NIST Framework was released following months of drafting and comment involving both the public and private sector.  IBM was a significant contributor to this effort.

The NIST CSF framework provides guidelines, but it is not prescriptive. It does not tell you how to make the organization’s controls secure.  To do that, an organization needs to translate the guidelines into an actionable security program.

Four tips to a 5-star security program

Here are four points to consider:

  1. Establish your business objectives and set priorities for securing your critical infrastructure. Consider your business objectives and your level of risk tolerance based on the unique needs of your organization. Step inside the shoes of a cyber-attacker and take a look at your company’s information and business critical systems from their point of view, asking how an attacker could do the most damage.
  2. Assess your current readiness for a sophisticated attack. The threat model is evolving and your organization must ensure that it has the resources and tools necessary to identify and stop an attack, determine what was compromised, and begin the remediation process. Leverage the NIST framework to ensure that you are taking a holistic view in assessing your capabilities.
  3. Develop a proactive security plan to protect your organization that aligns to your business objectives. Identify how you can collect and leverage security intelligence to enhance your readiness and responsiveness.  Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway.
  4. Make sure your security program has clearly defined ownership and leadership assigned across critical business areas. Rapid response is critical when an incident occurs and having in place an effective governance structure with well-defined communication processes will help to minimize the potential damage.

Taking this journey is more effective if you have a knowledgeable guide.

To use an analogy: the NIST CSF is like a cookbook that provides the recipe, the ingredients and general instructions on how to assemble the ingredients, but it takes the talents of a chef to interpret the recipe, adjust the proportions and spices, and turn it into an excellent meal.

We are here to help you leverage the Cybersecurity Framework (CSF) to baseline your current security program, identify gaps, prioritize security investments, and develop an actionable roadmap to improve your security maturity.

I hope these tips will help you create a “5 Star” security operation based on the NIST CSF. Are there any other tips I missed? Let me know in the comments below.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read