What barriers do organizations encounter as they embrace NIST CSF?
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) has garnered a great deal of interest amongst cyber security professionals. However, as RSAM CEO Vivek Shivananda has discovered during the RSAM Cybersecurity Luncheons, the implementation of the NIST CSF does not reflect the amount of interest shown. To this end, he is often asked what barriers organizations encounter as they embrace NIST CSF.
The answer is quite simple: A lot of people want to implement the Cybersecurity Framework, but they just don’t know how. Admittedly, there has been very little in the way of implementation guidance. Everyone talks about the same categories and subcategories, but when it comes to operationalizing the CSF, there are few tips and tricks for doing so.
This lack of guidance is what drove us to host the RSAM Cybersecurity Luncheons during which Vivek offers a phased approach to practically operationalizing the NIST CSF. As there’s more adoption and lessons learned, we will continue to share those, and other practitioners will do the same. We are confident that will go far to reducing the barrier to implementing the framework.
One thing to keep in mind as you approach the framework is that you don’t have to boil the ocean. You can start small simply by using a spreadsheet to link the risks in your risk register to the CSF categories, and gradually work your way up to a GRC tool that can help you mature.