OODA Loop

Understand tomorrow, today.

Explaining The New NIST Cybersecurity Framework to the C-Suite

Archive, Security and Resiliency / by

It is bad form to try to explain any security framework to leaders who do not see a reason to care about it. This post provides some reasons why non technical business executives should care about the new NIST cybersecurity framework and recommendations for what they should know.

The NIST Cybersecurity Framework has been around since 2013. There are many other security frameworks around but the strength of this one was how easy it was to comprehend and execute on. From its very conception the framework was meant to be understandable by all levels of governance, from the most senior to junior. The most senior leaders of organizations really only needed to know that the framework existed and was being put in place and that it consisted of five major categories, each with more detailed controls to execute on. Those major categories were Identify, Protect, Detect, Respond and Recover.

When briefing senior groups including boards I would sometimes go one level deeper than this list, not to ask any executive to memorize anything but just to be aware that there are far more details on recommendations under these five categories.

The point in discussing this framework with executives is never to invite them into the weeds of controls but to let them know professionals are working the issues including continuously assessing risks, gaps and mitigation measures that need to be put in place.

The early framework changed slightly over time. Now a new update is being worked. For the last year NIST has been holding workshops, collecting inputs and circulating drafts of an improvement that adds a new category to the framework. The category is Governance.

Governance had been sprinkled throughout the previous version, but the community consensus is that it really deserved to be called out. The new version 2.0 of the cybersecurity framework provides emphasis on governance in a way that will help ensure corporate guidance is executed on security and cyber risk management.

Why the new emphasis on governance? Frankly some organizations were not paying enough attention to this critical leadership function. Leaders are ultimately responsible for all aspects of the organization’s security program, even if they are not security or technology professionals and even if they are interdependent with or reliant on external stakeholders over whom they have little control. The regulatory landscape is catching up with this reality and the best practices for implementing this function in cybersecurity need to catch up as well.

New framework functions can be visualized this way:

Like in the first version, there are far more details underneath these high level categories of course. Here are the new high level categories under each function:

Now getting back to the point of this post. Why should non-technical executives (including corporate directors and the C-Suite) care about this framework? And what should they know about it? The real answers to these questions should be contextualized for the specific organization, but what follows can help speed that contextualization.

Why should we all care about choices of a security framework? The leadership of any well run organization should understand that mitigating risk is a team sport that involves far more than just the security and technology organizations. Every leader in the organization has a role. A framework can help the entire team stay in better synch and improve communications. Additionally, a good framework can help management make hard decisions on how to improve including where to invest time and money in solutions to mitigate risk.

Why should the leadership team care about the NIST Cybersecurity Framework? This framework in particular was conceived as one that can apply at all levels including the most senior or those whose job does not require detailed technical knowledge. With this framework it is much easier to leaders to know what is important for their action and awareness. It is also easier for those responsible for all organizational governance (corporate boards and their directors) to use for interacting with and leading management in reduction of risk.

Frameworks like this can help us all run a good cyber risk mitigation program: There are many ways to run a good cybersecurity program. The NIST cybersecurity framework is not the only one. But it is one that was designed from the beginning to be understandable by executive leaders.

What is governance in a cybersecurity context? Governance in this context is the policies, procedures and actions the organization puts in place to ensure what needs to be done gets done. The new version of the NIST Cybersecurity framework will soon include appropriate actions in cybersecurity and digital risk governance.

Who needs to know about this framework? At a high level, the entire organization should understand the importance of ensuring proper cybersecurity governance is supported including governance over the risk mitigation measures of suppliers and business partners. All should be encouraged to use the language of the NIST Cybersecurity framework whenever possible.

What do non technical executives need to know about this framework? The framework has six key functions: Govern, Identify, Protect, Detect, Respond. These six words all come with far more details underneath them. It can be useful for all leaders from all corners of the business to understand their importance, even if it is the technical team and the security team that are executing on the specifics. We all have a role to play in mitigating cyber risk.

How can the NIST cybersecurity framework help the executive team work together to mitigate risks? This new framework can form the basis of a common language that cuts across the entire organization when talking about digital risk and our collective actions to mitigate digital risk. It can help us work together in our collective action in response to breaches and help us more quickly resolve any issues.

All organizations share something very unfortunate in common today. All are under cyber attack. All could use assistance in continuously finding and mitigating risks. The NIST cybersecurity framework is a very understandable and actionable way for any size organization to conceptualize a continually improving approach.

Of particular note are larger publicly traded corporations, which are not only under cyber attack from adversaries but are under significant regulatory pressure. The SEC has levied new cybersecurity requirements that expect professional programs be put in place. Legal action is already being taken on existing cybersecurity requirements from the SEC and they are about to get far more strict. The fact that enforcement can shut down the business is a real attention getter. This makes taking action to comprehend and execute on a solid approach like the NIST cybersecurity framework even more important.

Other OODA Loop Reporting on Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

About Bob Gourley

Bob Gourley is an experienced Chief Technology Officer (CTO), Board Qualified Technical Executive (QTE), author and entrepreneur with extensive past performance in enterprise IT, corporate cybersecurity and data analytics. CTO of OODA LLC, a unique team of international experts which provide board advisory and cybersecurity consulting services. OODA publishes OODALoop.com. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.