Request Demo

NIST Cybersecurity Framework

Finally - A Clear Starting Place For NIST CSF Adoption

down-arrow

Two of the National Institute of Standard and Technology’s most popular frameworks, the NIST Cybersecurity Framework and NIST Special Publication 800-53, are some of the most comprehensive cybersecurity frameworks available. Whether leading a cybersecurity team of one or hundreds, CISOs and security leaders consistently turn to the CSF and 800-53 for guidance and development of their programs. These frameworks, though, are some of the most complicated and seemingly impossible frameworks to adopt fully. Especially with the voluntary CSF, many CISOs hope to use it as a foundation and supplement - and full adopters wear that achievement with pride.

Understanding that finding the right place to start is often the hardest challenge, CyberSaint developed the NIST Power Controls - the 20% of the controls that yield the 80% of the results. Whether formalizing a cybersecurity program for the first time or embarking on adopting the NIST CSF, the PowerControls are the best place to start.

The Challenge

It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The reason being that the NIST CSF is often the foundation for these specific regulations - for example, both Special Publication 800-171 for Department of Defense contractors and 23 NYCRR 500 for New York state financial service organization - draw inspiration and lineage from the CSF. The NIST CSF, though, is also one of the most challenging frameworks to adopt given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.

The NIST CSF and SP 800-53 Meet The Pareto Principle

The Pareto principle (also known as the 80/20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes. Originally applied to economics, the 80/20 rule eventually made its way into business - giving rise to the idea that "80% of sales come from 20% of clients".

Mathematically, the 80/20 rule is roughly followed by a power law distribution for a particular set of parameters, and many natural phenomena have been shown empirically to exhibit such a distribution. The Pareto Principle has been applied throughout business and technology today - popularized by efficiency-focused Silicon Valley startups and applied to almost every area of management in modern businesses.

Realizing that the principle could be applied to cybersecurity, the CyberSaint team set about to develop the means to extract the controls from NIST SP 800-53 and the approaches from the NIST CSF to yield the 20% of the controls that produce the highest result - giving security practitioners a clear path to adopting the gold-standard in cybersecurity.

Why This Has Never Been Done

Many roadblocks exist in identifying these top 45 controls that yield the highest cyber resiliency. To understand, one must examine both the CSF and SP 800-53: Both of these frameworks exist in nested control families as most frameworks do. Looking at another dimension, they also cover the three aspects that a control addresses - people process and technology. They were also designed to be fully adopted. NIST SP 800-53 was developed as a required framework for government agencies, and the CSF was initially intended for securing critical infrastructure - in short, they were both designed to avoid partial adoption.

The hierarchy of controls that exist in these frameworks (AC-1, AC-2, etc.) are foundational, and the frameworks are designed to ensure that an organization adopts the foundational aspects before they move on to additional protection and hardening measures.

How CyberSaint Did It

Using the three control dimensions: people, process, and technology, and the implicit hierarchy of the NIST SP 800-53 controls, we have populated the CSF framework in a lightweight manner. In short - CyberSaint has curated this foundational set to help implement the most essential controls to produce 80% of baseline cybersecurity resilience with 20% of the effort.

How To Use The CyberSaint PowerControls

The priority for creating the PowerControls was creating a clear path to NIST CSF adoption for an organization of any size. Using the PowerControls, security leaders can discuss with their business-side counterparts their work to adopt the framework and use it as a means to discuss their cyber program and posture.

They are an educational tool, too, in a way. There is a lot of confusion around the NIST CSF. There is even more around what 800-53 controls are when applied to private organizations. The Power Controls are an excellent tool to talk about the difference between the CSF and SP 800-53, and how controls can help organizations implement the CSF in a detailed, and measurable way.

The CyberSaint PowerControls are available as a framework within the CyberStrong platform - to see the PowerControls and CyberStrong in action, schedule a demo today.

You may also like

The Guide To A CEOs First ...
on May 16, 2019

One of the greatest challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on ...

Jerry Layden
What The NIST Privacy Framework ...
on May 14, 2019

On Wednesday May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on May 9, 2019

With high profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front row seat to the impact that cybersecurity can have on ...

Jerry Layden
The NIST Privacy Framework Is More ...
on May 17, 2019

In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s ...

The Road To An Internet Of Things ...
on May 2, 2019

As we’ve seen before, one of the greatest cybersecurity threats facing both consumer- and enterprise-focused organizations is the rise of connected devices - the internet of ...

George Wrenn
Is The NIST CSF Replacing HIPAA In ...
on April 30, 2019

In the recently released Cynergistek report on the state of healthcare sector cybersecurity framework adoption, I noticed an interesting trend - the rise in NIST CSF adoption and ...

George Wrenn