NIST CSF Questions from the Road Part 2

How does operationalizing the CSF benefit an organization when it comes to dealing with an attack?

There is a lot of interest around the NIST CSF. A recent Rsam survey revealed that 87% of InfoSec leaders said they plan to incorporate NIST CSF into their risk and compliance strategy. A 2017 HIMSS Cybersecurity Survey also showed that 95% of Healthcare orgs with a CISO have already adopted the NIST Cybersecurity Framework.

While this adoption trend continues, many organizations continue to struggle with how to implement the broad recommendations. This series of blog posts centers around real world questions we’ve received on the road during the Rsam hosted Cybersecurity Luncheons.

Getting NIST operationalized is one challenge for cybersecurity professionals, but another hot topic was how to reap the benefits once your program is running. When you operationalize, we hope that your organization is able to see the CSFs capability as it relates to dealing with an attack, and you can determine whether you have the proper investments and capability to first detect an attack, and more importantly, where we’ve seen a lot of the flaws in the industry is that a lot of the investments are in the first three core functions (Identify, Protect, Detect) but it’s not in Recover and Response. Our thought is—and a lot of CSOs agree—is that bringing this CSF to light highlights that many of us have forgotten to spend time and attention and budget on Recovery and Response, especially if there’s an attack.

When NIST published their published their Guide for Cybersecurity Event Recovery, they stated on their website, “Defense! Defense! may be the rallying cry from cybersecurity teams working to thwart cybersecurity attacks, but perhaps they should be shouting Recover! Recover! instead.”

How has your organization prepared for the next cyber-attack? Have you overinvested in one core function, but fell behind on others? Operationalizing NIST is your best plan for evaluating your cyber resilience.