Two of the National Institute of Standard and Technology’s most popular frameworks, the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53, are some of the most comprehensive cybersecurity frameworks and standards available. Whether leading a cybersecurity team of one or hundreds, CISOs and security leaders consistently turn to the CSF and 800-53 for guidance and development of their programs. These frameworks, though, are some of the most complicated and seemingly impossible frameworks to adopt fully. Especially with the voluntary CSF and the foundational framework core designed to support a comprehensive discussion around cybersecurity with business leaders, many CISOs hope to use it as a foundation and supplement - and full adopters wear that achievement with pride.
Understanding that finding the right place to start is often the hardest challenge, CyberSaint developed the NIST Power Controls - the 20% of the controls that yield the 80% of the results. Whether formalizing a cybersecurity program for the first time or embarking on adopting the NIST CSF, the PowerControls are the best place to start.
The Challenge with Implementing the NIST CSF
It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The reason being that the NIST CSF is often the foundation for these specific regulations - for example, both Special Publication 800-171 for Department of Defense contractors and 23 NYCRR 500 for New York state financial service organizations - draw inspiration and lineage from the CSF. When the CSF was updated with Version 1.1 to encompass supply chain controls as well, matters only became more complicated for teams looking to adopt the gold-standard. The NIST CSF, though, is also one of the most challenging frameworks to adopt given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.
The NIST CSF and SP 800-53 Meet The Pareto Principle
The Pareto principle (also known as the 80/20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes. Originally applied to economics, the 80/20 rule eventually made its way into business - giving rise to the idea that "80% of sales come from 20% of clients".
Mathematically, the 80/20 rule is roughly followed by a power law distribution for a particular set of parameters, and many natural phenomena have been shown empirically to exhibit such a distribution. The Pareto Principle has been applied throughout business and technology today - popularized by efficiency-focused Silicon Valley startups and applied to almost every area of management in modern businesses.
Realizing that the principle could be applied to cybersecurity, the CyberSaint team set about to develop the means to extract the controls from NIST SP 800-53 and the approaches from the NIST CSF to yield the 20% of the controls that produce the highest result - giving security practitioners a clear path to adopting the gold-standard in cybersecurity.
Why This Has Never Been Done
Many roadblocks exist in identifying these top 45 controls that yield the highest cyber resiliency. To understand, one must examine both the CSF and SP 800-53: Both of these frameworks exist in nested control families as most frameworks do. Looking at another dimension, they also cover the three aspects that a control addresses - people process and technology. They were also designed to be fully adopted. NIST SP 800-53 was developed as a required framework for government agencies, and the CSF was initially intended for securing critical infrastructure - in short, they were both designed to avoid partial adoption.
The hierarchy of controls that exist in these frameworks (AC-1, AC-2, etc.) are foundational, and the frameworks are designed to ensure that an organization adopts the foundational aspects before they move on to additional protection and hardening measures.
How CyberSaint Did It
Using the three control dimensions: people, process, and technology, and the implicit hierarchy of the NIST SP 800-53 controls, we have populated the CSF framework in a lightweight manner. In short - CyberSaint has curated this foundational set to help implement the most essential controls to produce 80% of baseline cybersecurity resilience with 20% of the effort.
How To Use The CyberSaint PowerControls
The priority for creating the PowerControls was creating a clear path to NIST CSF adoption for an organization of any size. Using the PowerControls, security leaders can discuss with their business-side counterparts their work to adopt the framework and use it as a means to discuss their cyber program and posture.
They are an educational tool, too, in a way. There is a lot of confusion around the NIST CSF. There is even more around what 800-53 controls are when applied to private organizations. The Power Controls are an excellent tool to talk about the difference between the CSF and SP 800-53, and how controls can help organizations implement the CSF in a detailed, and measurable way.
The CyberSaint PowerControls are available as a framework within the CyberStrong platform - to see the PowerControls and CyberStrong in action, schedule a demo today.