Cybersecurity, Where Do We Begin? Measuring Your Organization's Security with NIST Cybersecurity Framework

Cybersecurity|Large Companies

By Dan Desko

The concept of cybersecurity can be a daunting thought.  The world of information technology alone is filled with complexity, then you add in business requirements and expanding user requirements.  The next thing you know, your IT manager’s hands are pretty full.  Let’s face it, most organizations today are so focused on keeping the lights on and keeping systems up and running that security is often an afterthought.  The challenges that the average information technology professional face in today’s ever-growing interconnected world have never been greater.  The internet revolution has provided great resources for business and personal use alike; however, it has also made it much easier for a nefarious individual halfway around the world to hack into your organization’s network.

The security world is filled with shiny new products and expensive solutions, none of which are a panacea for all security issues.  It also seems like there are new critical security vulnerabilities identified in enterprise systems on a daily basis.  To make things even more complicated, you add in the human element and how cyber attackers are targeting your everyday employee in order to circumvent or bypass that shiny new firewall you just purchased.  So, you may be wondering, where do I start to ensure that my company’s systems are secure?  How do we know if we are doing enough?  You are not alone.

While there is no foolproof formula to make sure your organization is secure, we recommend that you start with a tested and recognized framework to see how your organization stacks up.  The NIST Cybersecurity Framework, which was drafted by the National Institute of Standards and Technology (NIST) in response to President Obama’s February 2013 Executive Order titled “Improving Critical Infrastructure Cybersecurity,” is an example of such a framework.  The framework does not introduce many new technical standards or concepts; rather, it references and provides organization and structure to industry-leading and proven security best practices from organizations such as ISO, NIST, ISACA and others.  The framework was developed over a ten-month period with collaborative input from more than 3,000 security professionals.  It was designed to provide an assessment mechanism to allow organizations to determine their current state of security and define a plan of action to achieve a more desirable state.

The NIST Cybersecurity Framework Core defines and organizes standardized security activities, desired outcomes and applicable references.  The Framework Core is organized by five core functions that are further broken down into categories (See Table 1).  The Framework Core essentially defines the critical security processes to be followed on a continuous and improving basis to constitute an effective cybersecurity posture.

NIST Cybersecurity Framework Core Functions


Keys to a Successful Cybersecurity Framework Implementation

  • Ensure cybersecurity is aligned with the business mission and objectives.
  • Gain senior management support.
  • Assess the current security posture against the industry recommended best practices and guidelines.
  • Determine where you would like to be in the short and long term.
  • Develop an actionable plan to get you there.
  • Continuously monitor, reassess and communicate results.

While implementing a framework such as this is completely voluntary, we view it as a necessary means of effectively evaluating an organization’s cybersecurity measures in order to protect your most valuable information assets.  Using a proven framework not only gives your organization advanced regulatory and legal standing, it establishes a proactive risk management approach that tackles a very complex problem.  Adopting a framework such as this should ultimately shift your organization’s security mindset from a reactive one, into a proactive risk-based driver of solutions.

Contact us with your cybersecurity questions and visit the Schneider Downs blog for similar articles.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.