The risks that come with cybersecurity can be overwhelming to many organizations. Building out a robust cybersecurity program is often complex and difficult to strategize for any organization, regardless of size. Frameworks are not a new concept to cybersecurity professionals. The benefits are immense – nor do they need to be complex to be effective. In this article, I will discuss some of the historical and conceptual links to our modern-day frameworks such as the NIST CSF.
One property that comes to mind is often the collaborative nature that goes into the development of a framework. In the early 1900s statistician Francis Galton made a breakthrough observation at a country fair in which he discovered that a crowd of nearly eight hundred laypeople guessing the weight of an ox, when averaged was within a few pounds of the actual weight. Experts however were much further off in guessing the weight of the same ox. How could such a phenomenon be possible?
The power of collaboration
Having thousands of contributors (over 3,000) with independence and the framework being drawn from a decentralized sample of the population making unique contributions to it (industry professionals and cybersecurity experts), the framework’s collaborative beginnings may account for some of the value provided by it. As someone who attended and contributed myself, I can say that the team around the framework and the National Institute of Standards and Technology have more than just the baseline clout that you would hope for in a recognized group. Not to mention that version 1.1 that came out just recently, and the revisions are comprehensive.
Although I spent years consulting, when I took the role as the global CSO at Schneider Electric, I realized that rather than relying on the opinions or guidance of a small group of consultants – who would have similar corporate training and culture as my team. To “determine” the optimal set of cybersecurity controls for an organization, the wisdom of this larger crowd which pulls from different industries and organization structures and includes high-powered cybersecurity professionals who produced the NIST Cybersecurity Framework – wins over the small group of “experts.”
Trading in large consulting groups for recognized frameworks
In my experience, “proprietary frameworks” promulgated by even the most top-tier and renowned consulting firms tended to be myopic and often lacked real value. On occasion a homegrown framework had some value, but that was usually because it was a refactored version of a crowd based source like or ISO/IEC security frameworks. The NIST Framework may have inherited some of the crowd wisdom properties, greatly improving the overall value of adoption. I hosted a webinar on the NIST Framework as it’s the foundation of the CyberStrong Platform. In my career I’ve experienced the convergence of frameworks and standards, and the need for a universal language. If your organization implements a recognized standard to operate by, it will be a great benefit and a guide to you as you scale your program.
Look to well-known frameworks such as the ISO/IEC series, NIST 800-53, and the NIST Cybersecurity Framework to pull from to align with a nationally or internationally recognized standard. Use these frameworks as a guide to run your cybersecurity program and to increase visibility and order within your company.
Why adopting the NIST framework should be on your list of ‘to-do’s’
I would argue that the NIST CSF is the most robust yet understood framework to date. It covers five critical framework functions: Identify, Protect, Detect, Respond and Recover – all critical parts that require controls, policies, and procedures within your organization both inside and outside of your cybersecurity team.
Upon the recent release of the NIST Cybersecurity Framework version 1.1, The Under Secretary of Commerce for NIST, Walter Copan, noted that "From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”
Additionally, the US Secretary of Commerce Wilbur Ross noted that "Cybersecurity is critical for national and economic security. The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs."
Harnessing the wisdom of crowds
The quote above shows the bridge between security and business in action. CEOs and business leaders around the country have taken note of the importance of cybersecurity and data protection, especially of late. It’s important that we understand the implications of following an unorganized, less strategic set of cybersecurity controls. We owe it to our cybersecurity teams, our businesses and our customers to follow a strategic path to security. Thus, I advocate the use of the NIST Cybersecurity Framework, and recognized frameworks like it, to fuel your security program and strengthen your cybersecurity posture.
Those that had a hand in creating the framework knew the importance of creating a “framework to live by” – they shared the same vision. These individuals were sourced from different roles, industries, and had varying viewpoints and perspectives on cybersecurity and risk management. I believe that this crowd-sourcing methodology is exactly what makes the framework so robust. It draws from every angle the priorities and use cases of its creators, resulting in a framework that adds depth and breadth to your organization while being flexible enough to accommodate companies of any scale.
To draw a sharable understanding, I finish with this: You may gain considerable value from frameworks like the NIST Cybersecurity Framework because it “harnesses the wisdom of crowds.”