In 2017, Gartner analyst Earl Perkins gave a wake-up call to security leaders everywhere: stop focusing only on protection and prevention. “The truth is,” he said, “you won’t be able to stop every threat, and you need to get over it.” Fast forward to today, and that advice is even more relevant.
The hard truth is this: getting hacked is no longer a matter of if, but when.
So, how should your organization respond? By moving beyond a fragmented or overly defensive posture, and embracing a holistic cybersecurity program built to detect, respond to, and recover from attacks as well as prevent them.
In a world of increasing threats, focusing solely on perimeter defense is like locking your front door while leaving your windows open. High-profile data breaches have shown us that even the most secure environments can be compromised. That’s why the most resilient organizations are the ones that prepare across the entire cyber risk lifecycle, not just at the gates.
As Perkins emphasized at the Gartner Security & Risk Management Summit:
“Take the money you’re spending on prevention and begin to drive it more equitably to detection and response.”
This balanced investment strategy is the foundation of a strong, modern cybersecurity program.
If you're building or maturing a cybersecurity program in 2025, there's no better place to start than the NIST Cybersecurity Framework (CSF). It’s the gold standard for structuring a program that’s comprehensive, measurable, and aligned with both regulatory requirements and business goals.
The latest version of the NIST CSF now includes six core functions, each representing a vital area of your cybersecurity ecosystem:
Govern: Establish the organization’s cybersecurity risk management strategy, policies, and oversight structure. This foundational function ensures leadership involvement, role clarity, and a strong governance model.
Identify: Understand what assets, systems, data, and capabilities you need to protect. This includes inventories, risk assessments, and business environment mapping.
Protect: Implement safeguards such as identity and access management, awareness training, and secure engineering to reduce the likelihood and impact of threats.
Detect: Deploy continuous monitoring and threat detection capabilities to uncover incidents early and respond quickly.
Respond: Establish and maintain an incident response capability that includes containment, communication, and coordination.
Recover: Put in place tested recovery plans to restore services and operations post-incident, minimizing business disruption.
Each function reinforces the others, making NIST CSF a truly holistic framework. It enables security leaders to structure their programs not only for compliance but also for resilience and long-term value.
Recommended Reading: Building Cyber Resilience: Insights into NIST CSF 2.0 for guidance on the latest changes made to the NIST framework and the new function, Govern.
If your organization is still operating from a checklist-style or compliance-only mindset, here’s how you can shift toward a risk-informed, strategic approach:
Use the NIST CSF as a benchmark. Evaluate how mature each function is in your current program and identify gaps.
Cybersecurity is a business-wide issue. Involve legal, risk, finance, operations, and board-level stakeholders to align cyber initiatives with strategic priorities.
Invest in tools and processes for threat detection, incident response planning, and tabletop exercises. Prepare for when—not if—a breach occurs.
Define metrics like mean time to detect (MTTD), mean time to respond (MTTR), and percentage of risk reduction tied to business impact. Report these consistently.
Modern cyber programs benefit from automating risk assessments, continuous control monitoring, reporting, and remediation planning. This reduces manual burden and increases accuracy.
Gartner reports that the framework is used by 30% of U.S. organizations, with a projected use of 50% by 2020. [Download the Free NIST Cybersecurity Framework Guide]
Use of the framework is usually attributed to three key motivations: aligning with cybersecurity best practices (70%), business partner requirements (29%), and federal contract requirements (28%), according to Gartner.
More and more organizations are aligning with the NIST Framework and requiring their partners, vendors, and suppliers to do so. If you're interested in learning more about the Framework and building a holistic approach to managing security, let us know, and we can give you the advice to get your security plan started. The CyberStrong Platform can baseline your program against the Framework in just a few hours.
The NIST CSF is widely adopted because it provides a flexible, scalable, and comprehensive model for managing cybersecurity risk. It addresses technical, operational, and governance needs across six key functions: Govern, Identify, Protect, Detect, Respond, and Recover.
The Govern function was added to emphasize the importance of organizational leadership, roles, policies, and oversight in managing cybersecurity risk. It ensures cyber efforts are led with intention, backed by leadership, and aligned with enterprise risk strategy.
See how you can map from the NIST CSF 2.0 to NIST 800-53.
Yes. The framework is designed to be adaptable for organizations of all sizes. Smaller organizations can implement the functions incrementally based on their risk profile and maturity.
Use metrics tied to business impact—like financial risk reduction, threat mitigation ROI, or regulatory compliance status. Tools like CyberStrong allow you to quantify cyber risk and generate executive-level dashboards aligned with frameworks like NIST CSF.
While not required, automation significantly improves efficiency, accuracy, and scalability. It helps organizations continuously monitor controls, generate risk reports, and respond faster to threats.