Building a Strong Security Program Using the NIST Cybersecurity Framework

Updated: Sep 17, 2021

Focusing Your Initial Information Security Efforts

Security assessments are ubiquitous, but they vary widely in their objectives and usefulness to your organization. Here’s a common scenario: a trusted partner offers to run a third-party automated tool against your website and give you the results at no cost. You get the results through a slick UI and there are flashing red lights everywhere! That can't be good -- now what do you do?

Here’s another scenario: your customer or other third party requires penetration tests or vulnerability scans. Simply doing the required technical assessment might move the ball forward with that organization, but know this: there will be findings, some might be "Critical" or "High" and your third party might reasonably ask you to fix those things. Although you might not have had any choice, you have just backed into a reactive security program activity and you have work to do before you can even think about how to get on the front foot when it comes to your security posture.

If you are just starting with building an information security program, you should hold off on the technical assessments until you know exactly why your organization is conducting each one at any given time. Don’t get me wrong, we have enjoyed conducting penetration tests for Fortune 500 corporations and startups alike and we’ve built and sold automated security scanning services. Technical assessments provide context-specific detail that can make a difference when the testee has security objectives related to the target environment and a way to act on the results. But, when initiating an information security-related investment or activity, it’s better to run assessments that first answer strategic questions, such as:

  • Is my organization’s investment in security reasonable for our risk profile and the threats we are facing?

  • What information assets do I really need to protect?

  • Are we spending enough, too little, or too much?

  • Do I have significant gaps in my information security posture, that if exploited, would cause real harm to my organization?

  • Are my existing investments in tools properly operationalized or are they really the cloud-native version of shelfware? In other words, do you think your tools are working just because nothing has broken and you aren’t receiving regular alerts?

With the answers to these questions you are in a position to prioritize and build a security roadmap that is aligned with your organization’s mission and objectives. So, as you start to get serious about information security (regardless of the reason), do yourself a favor: start with the big picture of your organization, identify the strategic and operational risks, and use standards-based frameworks to conduct the assessment.

Benefits of Using a Standards-based Framework

A security assessment enables you to understand the strength of your organization’s security posture by assessing your digital attack surface and any cyber gaps your company might have within its own infrastructure or that of your vendors. Using a standards-based framework enables you to compare the assessment results of your organization to the competition and to industry benchmarks, lending validation about the readiness of your information security program.

About the NIST Cybersecurity Framework

Many of our clients use the NIST Cybersecurity Framework (CSF) to get started. It is an excellent tool to help you understand your cybersecurity posture and better manage against your risks. Rather than a bunch of unwieldy rules or uber-prescriptive controls, it provides a flexible yet standards-based framework to measure the maturity of your program, identify gaps relevant to your business, and take steps to close those gaps and strengthen your security posture.

The NIST CSF is simple to understand and easy to use and customize. We like it because it incorporates risk management concepts and helps organizations think about critical assets and identify risks without forcing organizations that are just starting their security program, to produce and risk rank a full asset inventory right off the bat. At its core are five industry standards-based information security functions -- Identify, Protect, Detect, Respond, and Recover -- that will help your organization prepare for an entire security incident lifecycle. To assess your program, the NISF CSF uses four logical tiers -- Partial, Risk Informed, Repeatable, and Adaptive -- that describe the maturity of each aspect of your cybersecurity posture.


What the NIST CSF Doesn’t Provide

While CSF is a comprehensive way to get started in maturing your security program, do know that it won’t be sufficient for assessing application security or the software development lifecycle (SDLC) for companies that build and deliver customer-facing applications. DevSecOps simply isn’t an area of focus within the NIST CSF and you’ll need to supplement. Moreover, if you are trying to understand your security posture, you need more than your CSF score, which will illustrate your organization’s maturity against industry benchmarks, but won’t tell you what it should actually be. You need prescriptive guidance, which can be a rather subjective thing based on your organization’s strategy, operations, and risk tolerance.

To get that kind of guidance, we recommend partnering with a service provider like IOmergent. We’ll help you rightsize your security program and align it with your organization’s strategy and operations. For example, there are many things within the NISF CSF that may not be necessary for your company at this time. We can also help you maximize the security impact of what you already have when it comes to people, processes, and technology. That’s the low-hanging fruit that a broad assessment can uncover, and IOmergent can help you optimize those elements.

With front line experience and expertise in operationalizing response and how to mitigate risk, we can help handle any framework-based or technical assessment, make recommendations to better optimize your program elements, and work with you to implement them.

Would you like to see how IOmergent can help your organization mature its security program? Contact us today to schedule a confidential consultation at no cost.