<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

Using CyberSaint Power Controls to Implement the NIST CSF


Two of the National Institute of Standard and Technology’s most popular frameworks, the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53, are some of the most comprehensive cybersecurity frameworks and standards available. Whether leading a cybersecurity team of one or hundreds, CISOs and security leaders consistently turn to the CSF and 800-53 for guidance and development of their programs. These frameworks, though, are some of the most complicated and seemingly impossible frameworks to adopt fully. Especially with the voluntary CSF and the foundational framework core designed to support a comprehensive discussion around cybersecurity with business leaders, many CISOs hope to use it as a foundation and supplement - and full adopters wear that achievement with pride.

Understanding that finding the right place to start is often the hardest challenge, CyberSaint developed the NIST Power Controls - the 20% of the controls that yield the 80% of the results. Whether formalizing a cybersecurity program for the first time or embarking on adopting the NIST CSF, the PowerControls are the best place to start.

The Challenge with Implementing the NIST CSF

It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The reason being that the NIST CSF is often the foundation for these specific regulations - for example, both Special Publication 800-171 for Department of Defense contractors and 23 NYCRR 500 for New York state financial service organizations - draw inspiration and lineage from the CSF. When the CSF was updated with Version 1.1 to encompass supply chain controls as well, matters only became more complicated for teams looking to adopt the gold-standard. The NIST CSF, though, is also one of the most challenging frameworks to adopt given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.

The NIST CSF and SP 800-53 Meet The Pareto Principle

The Pareto principle (also known as the 80/20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes. Originally applied to economics, the 80/20 rule eventually made its way into business - giving rise to the idea that "80% of sales come from 20% of clients".

Mathematically, the 80/20 rule is roughly followed by a power law distribution for a particular set of parameters, and many natural phenomena have been shown empirically to exhibit such a distribution. The Pareto Principle has been applied throughout business and technology today - popularized by efficiency-focused Silicon Valley startups and applied to almost every area of management in modern businesses.

Realizing that the principle could be applied to cybersecurity, the CyberSaint team set about to develop the means to extract the controls from NIST SP 800-53 and the approaches from the NIST CSF to yield the 20% of the controls that produce the highest result - giving security practitioners a clear path to adopting the gold-standard in cybersecurity.

Why This Has Never Been Done

Many roadblocks exist in identifying these top 45 controls that yield the highest cyber resiliency. To understand, one must examine both the CSF and SP 800-53: Both of these frameworks exist in nested control families as most frameworks do. Looking at another dimension, they also cover the three aspects that a control addresses - people process and technology. They were also designed to be fully adopted. NIST SP 800-53 was developed as a required framework for government agencies, and the CSF was initially intended for securing critical infrastructure - in short, they were both designed to avoid partial adoption.

The hierarchy of controls that exist in these frameworks (AC-1, AC-2, etc.) are foundational, and the frameworks are designed to ensure that an organization adopts the foundational aspects before they move on to additional protection and hardening measures.

How CyberSaint Did It

Using the three control dimensions: people, process, and technology, and the implicit hierarchy of the NIST SP 800-53 controls, we have populated the CSF framework in a lightweight manner. In short - CyberSaint has curated this foundational set to help implement the most essential controls to produce 80% of baseline cybersecurity resilience with 20% of the effort.

How To Use The CyberSaint PowerControls

The priority for creating the PowerControls was creating a clear path to NIST CSF adoption for an organization of any size. Using the PowerControls, security leaders can discuss with their business-side counterparts their work to adopt the framework and use it as a means to discuss their cyber program and posture.

They are an educational tool, too, in a way. There is a lot of confusion around the NIST CSF. There is even more around what 800-53 controls are when applied to private organizations. The Power Controls are an excellent tool to talk about the difference between the CSF and SP 800-53, and how controls can help organizations implement the CSF in a detailed, and measurable way.

The CyberSaint PowerControls are available as a framework within the CyberStrong platform - to see the PowerControls and CyberStrong in action, schedule a demo today.

You may also like

Zero Trust Security – A Quick Guide
on January 24, 2022

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is ...

CyberStrong December Update
on January 20, 2022

December Product Update Crosswalks, graphics, and filters - Oh my! 🎵♪🎵 New crosswalks on frameworks and labels on graphics Helpful team filters and alerts on late status Clear ...

Kyndall Elliott
CEO's - Do You Know Where That ...
on January 3, 2022

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information ...

Jerry Layden
CyberSaint's Response to the Log4j ...
on December 23, 2021

Members of the CyberSaint Community, My name is Padraic O’Reilly, the Chief Product Officer of CyberSaint. In light of the impacts of the Log4j vulnerability on the greater ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on December 17, 2021

With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an ...

Jerry Layden
The Guide To A CEOs First ...
on December 16, 2021

One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that ...

Jerry Layden