Congrats are in order for the folks over at the National Institute of Standards and Technology! A few weeks ago, a new version of their Framework for Improving Critical Infrastructure Cybersecurity (which we call the Cyber Security Framework, or CSF) was released.
The CSF, as with most other NIST Special Publications around security, receives regular updates to keep pace with the changes in the threat landscape, the security product market, and new regulatory compliance requirements in a variety of industries. I talk often to customers who are facing the challenge of protecting their data and systems, but find it hard to adjust as those factors change year to year, and they feel there isn’t sufficient organizational focus on practicing good security.
You may have heard the term “security program” before – you’d certainly hear me mention it in these conversations with customers. Maybe it’s why you clicked on this article. What is a security program? What’s so magical about it that I need it in my organization?
When I describe a security program, I’m talking about the collection of individuals, teams, and their efforts to protect their organization from a variety of threats. I’m talking about the policies, standards, and guidelines they enact to formally document roles, responsibilities, actions, and behaviors of employees, users, third-parties, and anyone else that might have a role in this protection effort. I’m talking about the management efforts to advance the maturity of the organization’s protection effort, and to mitigate risks to the business.
It’s a team, led by a leader or group of leaders, much like many other teams in your organization. Yours will look similar to other teams … and also very different. There’s no one right way to build a security program (but certainly plenty of wrong ways). What helps is a guide – and the NIST CSF is a fantastic, free guide built just for that purpose.
It defines five Functions for which the security program is responsible: Identify, Protect, Detect, Respond, and Recover. It details how to build a security program, and grow it over time, to achieve this goal. And it provides a way to measure your capability and the success of the program and how to tell if it is meeting its goals.
JD Rogers, the CISO of Great American Insurance, did a fantastic talk last year on how he and his team used the CSF to develop a strategy to grow and measure the success of their security program. The slides from the talk are here.
If your organization doesn’t have a security program today, and you might be a person considered responsible for security in that organization, the NIST CSF is absolutely worth a read. It may seem daunting, but Rome (and its security program) wasn’t built in a day. You may be able to look back a few years later, after beginning these efforts, and see real change that’s been affected because of this practice. You might even sleep better at night!
If you’re interested in seeing how you stack up to the NIST CSF, or if you’d like help with those critical first steps of building your security program, come and talk to us. We’ve helped many businesses in many industries with this process and we’d love to help you.
Read more about Security offerings from CBTS.