Implementing the NIST Cybersecurity Framework—Why and How?

At the 18^th Annual Niagara County Technology and Cybersecurity Forum, Lume Strategies Chief Information Officer Peter Capelli spoke about steps organizations can take to enhance their cybersecurity programs. In particular, he shared his expertise on the NIST Cybersecurity Framework, which was first released in 2014 and recently updated in 2018.

What is the NIST Cybersecurity Framework?

Congress established the National Institute of Standards and Technology (NIST) in 1901 to make the U.S. economy more competitive through improvement of its measurement infrastructure. Today, NIST delivers critical measurement solutions in support of technologies large and small, ranging from the Smart Grid to health records to computer chips.

NIST released its Framework for Improving Critical Infrastructure Cybersecurity in February 2014 as a “living” document to be updated over time as technology evolves. Businesses can use this framework to determine their current levels of cybersecurity, set goals for cybersecurity that align with their business objectives and environments, and establish plans to improve or maintain their cybersecurity programs. An updated version of the Framework was published in April 2018.

Why use the NIST Framework?

NIST is not the only organization that offers a cybersecurity framework—COBIT, ISO 27001, and HITRUST are some of the more well-known alternatives. Within the U.S., however, the NIST Framework is considered a best practice and industry standard. As of 2015—a year after its release—30% of U.S. organizations were already using the NIST Framework, and that number is expected to rise to 50% by 2020.

In developing the Framework, NIST worked closely with industry stakeholders and continues to consult with a wide range of businesses and groups to keep the framework relevant for all organizations, regardless of size, sector, and maturity.

More so than other cybersecurity frameworks, NIST’s allows for both scalability and flexibility. Because the NIST Framework is outcome driven and doesn’t mandate how organizations must reach those outcomes, users have the opportunity to align processes and timelines with internal resources and workflows.

Best Practices for Implementing a Cybersecurity Framework

Enhancing your organization’s cybersecurity is a marathon, not a sprint. Whether you opt for the NIST Framework or another, it’s important to keep this in mind. Set realistic expectations for yourself, your team, and your leadership, and strive for continuous improvement. And, as you move through the process, be sure to communicate your findings and progress to your executive team.

Rather than trying to tackle everything at once, focus on the areas that are most critical to your business—and where you make the most valuable and impactful improvements. Partnering with outside experts—like Lume Strategies—can also shed new light on where your organization currently stands in regards to cybersecurity and help you determine the best path forward.

To learn more about what your organization can do to improve cybersecurity, contact Lume Strategies today.