<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

Using CyberSaint Power Controls to Implement the NIST CSF


Two of the National Institute of Standard and Technology’s most popular frameworks, the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53, are some of the most comprehensive cybersecurity frameworks and standards available. Whether leading a cybersecurity team of one or hundreds, CISOs and security leaders consistently turn to the CSF and 800-53 for guidance and development of their programs. These frameworks, though, are some of the most complicated and seemingly impossible frameworks to adopt fully. Especially with the voluntary CSF and the foundational framework core designed to support a comprehensive discussion around cybersecurity with business leaders, many CISOs hope to use it as a foundation and supplement - and full adopters wear that achievement with pride.

Understanding that finding the right place to start is often the hardest challenge, CyberSaint developed the NIST Power Controls - the 20% of the controls that yield the 80% of the results. Whether formalizing a cybersecurity program for the first time or embarking on adopting the NIST CSF, the PowerControls are the best place to start.

The Challenge with Implementing the NIST CSF

It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The reason being that the NIST CSF is often the foundation for these specific regulations - for example, both Special Publication 800-171 for Department of Defense contractors and 23 NYCRR 500 for New York state financial service organizations - draw inspiration and lineage from the CSF. When the CSF was updated with Version 1.1 to encompass supply chain controls as well, matters only became more complicated for teams looking to adopt the gold-standard. The NIST CSF, though, is also one of the most challenging frameworks to adopt given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.

The NIST CSF and SP 800-53 Meet The Pareto Principle

The Pareto principle (also known as the 80/20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes. Originally applied to economics, the 80/20 rule eventually made its way into business - giving rise to the idea that "80% of sales come from 20% of clients".

Mathematically, the 80/20 rule is roughly followed by a power law distribution for a particular set of parameters, and many natural phenomena have been shown empirically to exhibit such a distribution. The Pareto Principle has been applied throughout business and technology today - popularized by efficiency-focused Silicon Valley startups and applied to almost every area of management in modern businesses.

Realizing that the principle could be applied to cybersecurity, the CyberSaint team set about to develop the means to extract the controls from NIST SP 800-53 and the approaches from the NIST CSF to yield the 20% of the controls that produce the highest result - giving security practitioners a clear path to adopting the gold-standard in cybersecurity.

Why This Has Never Been Done

Many roadblocks exist in identifying these top 45 controls that yield the highest cyber resiliency. To understand, one must examine both the CSF and SP 800-53: Both of these frameworks exist in nested control families as most frameworks do. Looking at another dimension, they also cover the three aspects that a control addresses - people process and technology. They were also designed to be fully adopted. NIST SP 800-53 was developed as a required framework for government agencies, and the CSF was initially intended for securing critical infrastructure - in short, they were both designed to avoid partial adoption.

The hierarchy of controls that exist in these frameworks (AC-1, AC-2, etc.) are foundational, and the frameworks are designed to ensure that an organization adopts the foundational aspects before they move on to additional protection and hardening measures.

How CyberSaint Did It

Using the three control dimensions: people, process, and technology, and the implicit hierarchy of the NIST SP 800-53 controls, we have populated the CSF framework in a lightweight manner. In short - CyberSaint has curated this foundational set to help implement the most essential controls to produce 80% of baseline cybersecurity resilience with 20% of the effort.

How To Use The CyberSaint PowerControls

The priority for creating the PowerControls was creating a clear path to NIST CSF adoption for an organization of any size. Using the PowerControls, security leaders can discuss with their business-side counterparts their work to adopt the framework and use it as a means to discuss their cyber program and posture.

They are an educational tool, too, in a way. There is a lot of confusion around the NIST CSF. There is even more around what 800-53 controls are when applied to private organizations. The Power Controls are an excellent tool to talk about the difference between the CSF and SP 800-53, and how controls can help organizations implement the CSF in a detailed, and measurable way.

The CyberSaint PowerControls are available as a framework within the CyberStrong platform - to see the PowerControls and CyberStrong in action, schedule a demo today.

You may also like

3 Ways Financial Institutions are ...
on January 14, 2021

Financial services firms have often been at the forefront of security since the inception of the first Chief Information Security Officer in the 1980s. Why? For the same reason ...

3 Steps for Secure Digital ...
on January 12, 2021

It comes as no surprise to readers that the COVID-19 pandemic vastly catalyzed digital business. From the rapid, necessary adoption of remote work to the precipitous rise in ...

Augmenting Legacy GRCs During ...
on January 7, 2021

From Silos to a Category to Modern-Day From the early days of internal audit and external audit, governance, and policy management silos and into the era of enterprise governance, ...

Alison Furneaux
Embrace Cyber Risk Transformation ...
on January 5, 2021

Widespread Digitalization Puts Increasing Demands on Risk and Compliance Programs The scope of risks to be managed is increasing. Especially over the past year amid the COVID-19 ...

Alison Furneaux
Practice vs Process Maturity: ...
on December 18, 2020

Information security maturity has never been more important. In the wake of the COVID-19 pandemic, the catalyzation of digital transformation and the ripple effects on businesses ...

Top 5 Cyber Events 2020
on December 15, 2020

2020 brought a lot of unforeseen circumstances with it. A lot has happened between the rampant risk in cyber attacks across the digital landscape to the COVID-19 pandemic ...