Corporate and government leaders have been putting an increasing focus on the risks to our critical infrastructure by cyber-attacks. Industrial controls, once thought to be immune to these internet borne threats, are now clearly in the cross-hairs of new types of malware.

Responding to this growing risk, in 2013 the White House issued an executive order for a cybersecurity framework (CSF) to be created by the National Institute of Standards and Technology (NIST), providing guidance to organizations with critical infrastructure to help them manage cybersecurity risk. On February 12th 2014, Version 1.0 of the NIST Framework was released following months of drafting and comment involving both the public and private sector.  IBM was a significant contributor to this effort.

The NIST CSF framework provides guidelines, but it is not prescriptive. It does not tell you how to make the organization’s controls secure.  To do that, an organization needs to translate the guidelines into an actionable security program.

Four tips to a 5-star security program

Here are four points to consider:

  1. Establish your business objectives and set priorities for securing your critical infrastructure. Consider your business objectives and your level of risk tolerance based on the unique needs of your organization. Step inside the shoes of a cyber-attacker and take a look at your company’s information and business critical systems from their point of view, asking how an attacker could do the most damage.
  2. Assess your current readiness for a sophisticated attack. The threat model is evolving and your organization must ensure that it has the resources and tools necessary to identify and stop an attack, determine what was compromised, and begin the remediation process. Leverage the NIST framework to ensure that you are taking a holistic view in assessing your capabilities.
  3. Develop a proactive security plan to protect your organization that aligns to your business objectives. Identify how you can collect and leverage security intelligence to enhance your readiness and responsiveness.  Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway.
  4. Make sure your security program has clearly defined ownership and leadership assigned across critical business areas. Rapid response is critical when an incident occurs and having in place an effective governance structure with well-defined communication processes will help to minimize the potential damage.

Taking this journey is more effective if you have a knowledgeable guide.

To use an analogy: the NIST CSF is like a cookbook that provides the recipe, the ingredients and general instructions on how to assemble the ingredients, but it takes the talents of a chef to interpret the recipe, adjust the proportions and spices, and turn it into an excellent meal.

We are here to help you leverage the Cybersecurity Framework (CSF) to baseline your current security program, identify gaps, prioritize security investments, and develop an actionable roadmap to improve your security maturity.

I hope these tips will help you create a “5 Star” security operation based on the NIST CSF. Are there any other tips I missed? Let me know in the comments below.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…