We Already Use a Control Framework. Do We Really Need NIST CSF?
If your organization is interested in building a cybersecurity strategy around the NIST CSF—but you don’t know where to start—you’re not alone.
Despite growing interest in the National Institute of Standards and Technology Cybersecurity Framework, many organizations continue to struggle with how to implement the broad recommendations. In an effort to help these organizations, RSAM is hosting Cybersecurity Luncheons around the country. During these Luncheons, RSAM CEO and Co-founder Vivek Shivananda offers a phased approach to practically operationalizing the framework. In the course of doing these events, we’ve found that the same questions tend to come up time and again. We thought we’d share them in a series of blog posts to help get your arms around the NIST CSF.
Most security organizations are already using a control framework such as NIST 800-53, COBIT or ISO 27002. With the introduction of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), organizations are wondering, “Do we need NIST CSF? And what are we missing if we don’t use it?”
It’s important to understand that the NIST CSF is not a control framework—nor is it meant to be. The NIST CSF is a framework that leverages the control frameworks you’re already using. It is intended to sit on top of control frameworks such as NIST 800-53, COBIT or ISO 27002, and enables you to answer two board-level questions: How are we doing with cybersecurity? And, if we have a breach, are we ready? By answering these two questions, the CSF serves as a tool that can help you create an informed investment strategy and benchmark against other organizations.
Regardless of which control framework you currently leverage, the NIST CSF can provide board-level visibility to your organization’s efforts around Identify, Protect, Detect, Respond, and Recover. In our experience, this visibility is a requirement for every organization, and therefore, so is the NIST CSF.