<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

Finally - A Clear Starting Place For NIST CSF Adoption


Two of the National Institute of Standard and Technology’s most popular frameworks, the NIST Cybersecurity Framework and NIST Special Publication 800-53, are some of the most comprehensive cybersecurity frameworks available. Whether leading a cybersecurity team of one or hundreds, CISOs and security leaders consistently turn to the CSF and 800-53 for guidance and development of their programs. These frameworks, though, are some of the most complicated and seemingly impossible frameworks to adopt fully. Especially with the voluntary CSF, many CISOs hope to use it as a foundation and supplement - and full adopters wear that achievement with pride.

Understanding that finding the right place to start is often the hardest challenge, CyberSaint developed the NIST Power Controls - the 20% of the controls that yield the 80% of the results. Whether formalizing a cybersecurity program for the first time or embarking on adopting the NIST CSF, the PowerControls are the best place to start.

The Challenge

It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The reason being that the NIST CSF is often the foundation for these specific regulations - for example, both Special Publication 800-171 for Department of Defense contractors and 23 NYCRR 500 for New York state financial service organization - draw inspiration and lineage from the CSF. The NIST CSF, though, is also one of the most challenging frameworks to adopt given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.

The NIST CSF and SP 800-53 Meet The Pareto Principle

The Pareto principle (also known as the 80/20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes. Originally applied to economics, the 80/20 rule eventually made its way into business - giving rise to the idea that "80% of sales come from 20% of clients".

Mathematically, the 80/20 rule is roughly followed by a power law distribution for a particular set of parameters, and many natural phenomena have been shown empirically to exhibit such a distribution. The Pareto Principle has been applied throughout business and technology today - popularized by efficiency-focused Silicon Valley startups and applied to almost every area of management in modern businesses.

Realizing that the principle could be applied to cybersecurity, the CyberSaint team set about to develop the means to extract the controls from NIST SP 800-53 and the approaches from the NIST CSF to yield the 20% of the controls that produce the highest result - giving security practitioners a clear path to adopting the gold-standard in cybersecurity.

Why This Has Never Been Done

Many roadblocks exist in identifying these top 45 controls that yield the highest cyber resiliency. To understand, one must examine both the CSF and SP 800-53: Both of these frameworks exist in nested control families as most frameworks do. Looking at another dimension, they also cover the three aspects that a control addresses - people process and technology. They were also designed to be fully adopted. NIST SP 800-53 was developed as a required framework for government agencies, and the CSF was initially intended for securing critical infrastructure - in short, they were both designed to avoid partial adoption.

The hierarchy of controls that exist in these frameworks (AC-1, AC-2, etc.) are foundational, and the frameworks are designed to ensure that an organization adopts the foundational aspects before they move on to additional protection and hardening measures.

How CyberSaint Did It

Using the three control dimensions: people, process, and technology, and the implicit hierarchy of the NIST SP 800-53 controls, we have populated the CSF framework in a lightweight manner. In short - CyberSaint has curated this foundational set to help implement the most essential controls to produce 80% of baseline cybersecurity resilience with 20% of the effort.

How To Use The CyberSaint PowerControls

The priority for creating the PowerControls was creating a clear path to NIST CSF adoption for an organization of any size. Using the PowerControls, security leaders can discuss with their business-side counterparts their work to adopt the framework and use it as a means to discuss their cyber program and posture.

They are an educational tool, too, in a way. There is a lot of confusion around the NIST CSF. There is even more around what 800-53 controls are when applied to private organizations. The Power Controls are an excellent tool to talk about the difference between the CSF and SP 800-53, and how controls can help organizations implement the CSF in a detailed, and measurable way.

The CyberSaint PowerControls are available as a framework within the CyberStrong platform - to see the PowerControls and CyberStrong in action, schedule a demo today.

You may also like

Informing Cyber Risk Management ...
on May 18, 2023

Cybersecurity is no longer just an IT issue but a business risk that can impact an organization's reputation, financial health, and legal compliance. Cybersecurity risks are ...

Is Your Organization Prepared for ...
on May 3, 2023

Data storage, as well as maintenance tools and applications, have undergone many iterations in the past decade, with the introduction of cloud computing and Security Information ...

Strategies for Automating a Cyber ...
on May 8, 2023

Cybersecurity leaders and teams are overburdened by several growing trends and issues. And when your cybersecurity team is overworked and unequipped to manage cyber risk ...

Selecting the Right Cyber Risk ...
on April 13, 2023

Cyber risk quantification is the process of determining the likelihood and potential impact of a cyber attack or security breach. The probability and impact will vary based on ...

Leveraging Cyber Security ...
on May 26, 2023

A common misunderstanding with cyber risk management is that only the CISO and security practitioners should be concerned about cyber and information security. Instead, the state ...

Tips and Tricks to Transform Your ...
on April 12, 2023

Simply being “cyber aware” is an unviable option for board members as the impact of cybersecurity expands beyond IT systems. An unnoticed security gap or dated risk assessment are ...