Recently, Rsam CEO Vivek Shivananda spoke with a diverse and engaged group of information security leaders who came to discuss the NIST CSF framework. The session was moderated by ISMG Media Editor Tom Field. The conversation revealed common challenges and hopes around how NIST CSF can help improve an organization’s security posture.
During the conversation, attendees expressed challenges around practical use of the framework. Some said the length and depth of NIST CSF was daunting. Others said it exposed their organization’s gaps between security and other business functions. Additionally, this topic surfaced as a common theme: If we use NIST CSF, how do I tell executives they have to give up some technology conveniences?
When it comes to managing vendor risk, participants reflected a range of maturity levels in their approach – from internal audits to leveraging Shared Assessment’s SIG model. The consensus was NIST CSF could be useful in addressing their concerns. Nearly all participants described their frustration with vendor risk management, for example:
- Exploding volume of vendors to monitor. One organization only inspects 110 of their most strategic vendors yet their total vendor population is 11,000 (only 1% coverage).
- Lack of expertise. Auditors need to know the right questions to ask and how to interpret the answers.
Finally, the group said they hoped implementing NIST CSF would provide them with these benefits:
- Greater awareness of risk
- Executive support for security initiatives
- Faster, better incident response and management
- Highlight areas that need improvement
Want to learn more about NIST CSF best practices? Listen to a 20 minute on-demand webinar featuring Vivek Shivananda here.