For years, managed service providers (MSPs), chief information security officers (CISOs), and IT experts have depended on the guidance of the National Institute of Standards and Technology (NIST) to navigate the landscape of cybersecurity best practices. Initially introduced in 2013, the NIST framework has been a cornerstone. However, considering the rapid evolution of cybersecurity, a decade is a substantial stretch of time, and a revision has been overdue. In alignment with this need, a recent update was introduced earlier this month, prompting experts to highlight its timely significance.
The newly unveiled NIST guidelines, which have been presented in a preliminary form this week, have been notably broadened and rendered more comprehensive. Managed service providers (MSPs) retain the opportunity to influence the final contours of the NIST recommendations. The preliminary version of the updated NIST framework was released on August 8th. The most noteworthy alteration pertains to the incorporation of an additional foundational element into the NIST's mission. Originally structured around five fundamental components—identify, protect, detect, respond, and recover—a sixth facet, termed the "govern" function, has now been integrated.
According to NIST, this new addition “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.” It has been stated that this latest pillar is an essential addition because it provides a framework for consistency across the board in cybersecurity.
The "Govern" Pillar establishes a Framework for:
Developing and upholding a framework for managing cybersecurity risks entails a collaborative effort between NIST and MSPs. It's imperative to establish an ongoing procedure that involves the consistent assessment and evaluation of the risk management framework's efficacy.
They are developing and implementing cybersecurity policies, procedures, and processes. It is measuring and evaluating cybersecurity performance. This includes establishing metrics for measuring cybersecurity performance. Many companies, and even some MSPs, tend to establish protocols and safeguards and then consider their job done. However, it's crucial to consistently assess and check how well these procedures are actually functioning.
Empowering cybersecurity governance:
Experts emphasize that the introduction of the "govern" aspect holds immense importance in crafting a comprehensive cybersecurity strategy. This addition furnishes organizations with a clear roadmap to construct and sustain a thorough cybersecurity governance framework. This framework aids in mitigating risks, safeguarding assets, and formulating responses to incidents.
It can also help organizations to measure and evaluate their cybersecurity performance. With a growing body of cybersecurity regulations and standards necessitating adherence, navigating the landscape becomes more manageable using the NIST standards. Overall, the 'govern' element within the NIST Cybersecurity Framework (CSF) stands as a valuable resource for organizations striving to enhance their cybersecurity stance. The NIST update is intended to steer the current cybersecurity landscape while maintaining the flexibility to adapt to evolving cybersecurity needs in the years ahead.
In a press release, the NIST framework lead author said the following:
“With this update, we are trying to reflect current usage of the Cybersecurity Framework and to anticipate future usage as well,” said the framework’s lead developer.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere, from schools and small businesses to local and foreign governments. We want to ensure that it is useful to all sectors, not just those designated as critical.”
RCS has been helping businesses stay protected and cyber-safe since 1999. If you need help with your businesses cyber security contact us at info@rcsprofessional.com or visit https://www.rcsprofessional.com/contact-us