Have You Adopted the NIST Cybersecurity Framework?

February 26, 2015 By Andrew Roberts

As someone in the business of security, you may have heard of the NIST Cybersecurity Framework, developed by the US Commerce Department's National Institute of Standards and Technology (NIST). It was initiated by way of an Executive Order from US President Barack Obama in response to the government's growing concern of over cybersecurity and the threat it poses to national and economic security1.

NIST cybersecurity

This most probably came on the back of comments from people like the US Director of National Intelligence who ranks cybercrime as the top national security threat, higher than that of terrorism, espionage and weapons of mass destruction2.

This is backed up by the numbers according to PriceWaterhouseCoopers (PwC) in their most recent State of Cybercrimes survey, over three quarters of US companies detected a security breach in the past 12 months, and more than a third said the number of security incidents detected had increased over the previous year3.

PwC also found that the average number of security incidents detected in 2013 was 135 per organisation, which is more than 2.5 incidents per week. And this does not account for incidents that go undetected in 2013 the FBI notified 3,000 US companies that they had been victim of cyber intrusions. This is quite alarming. Three thousand companies needed the FBI to tell them their systems had been compromised.

It was due to this increased threat of cyber attacks taking place against US businesses and government departments, that President Obama instructed NIST to collaborate with government and private businesses to develop a framework for reducing the risks to critical infrastructure from cyber attacks.

After a year in development, this framework was released in 2014 and contained standards, guidelines and practices to help government agencies and private business reduce cyber risks to their critical infrastructure perfect for organizations who are looking to beef up their security to protect valuable information.

In the State of Cybercrimes report, PwC explains that whilst it is a voluntary framework, it defines standardized cybersecurity activities, desired outcomes, and applicable references that constitute sound cybersecurity. As per NIST, the prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk.

At the core of the framework are five key functions that should be continuously monitored and improved upon:

1.  Identify: Understanding the risks to systems, assets, data, and their capabilities and knowing how to manage them.
2.  Protect: Implementing suitable safeguards to protect your assets and deter security threats.
3.  Detect: Continuous monitoring for proactive and real-time alerts of potential threats.
4.  Respond: Suitable policies and activities in place for prompt responses to security incidents.
5.  Recover: Implementing a continuity plan to preserve flexibility and recover system capabilities after a breach.
The vast majority of respondents from more than 500 executives of US businesses, law enforcement services and government agencies fell well short of these guidelines in PwC's survey.

With concern about cyber threats within both public and private sectors at an all-time high, PwC was shocked to discover that organizations had done little, if any, to invest in cybersecurity and align it with their overall business strategy.

It is vitally important that organizations invest in resources to identify and categorise their most valuable digital assets, and determine where these are located across the system - and who has access to them.

Does your organization have a security framework in place? It is never too early to look at reviewing your policies. How does yours stack up against the NIST Cybersecurity Framework?




1. [NIST Cybersecurity Framework]
2. [Director of National Intelligence, Worldwide Threat Assessment of the US Intelligence Committee, January, 2014]
3. [PwC: 'US cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey.' June 2014]