It’s been nearly two decades since the turn of the 21st century, and gone are the days of old. In 2019, many of us have swapped our traditional cable packages for online subscription-based streaming, our gas-guzzling SUVs for battery-powered compact cars, our newspaper stands for Twitter feeds and our greasy, cholesterol-packed breakfasts for avocado toast and kale smoothies—complete with a paper straw, of course.
Nearly every facet of life has changed dramatically since Y2K, and the way we do business is no exception. With the onset of digital transformation, the protection of data has become even more critical, especially how organizations go about managing risk. It’s not enough to just protect data; it must be done thoughtfully and with the entire organization in mind.
Take data storage, for example. Just a few years ago, physical files packed full of confidential data were standardly stored in manila folders within metal filing cabinets and in different ways. Those same files are now effortlessly uploaded to “the cloud”—a mysterious online place we’ve all come to know yet will never physically see or touch. And unlike those towering, cold filing cabinets, the cloud has no physical location, let alone a lock and key. So how do we protect it and the rest of our network?
Enter cybersecurity and compliance, our digital padlock of 2019. The strength of your organization’s padlock relies on the design, implementation and enforcement of a comprehensive risk management plan. But as technology advances at a rapid pace, keeping up with the best cybersecurity practices can be daunting, especially for smaller organizations with limited resources.
That’s why in 2014, the National Institute of Standards and Technology created the NIST Cybersecurity Framework (CSF). It spells out a set of cybersecurity standards and best practices that can be tailored to any organization’s security needs. Think of it as the cybersecurity gold standard every organization should strive to meet.
But becoming CSF-compliant is no easy feat. The framework boasts over 100 controls, which makes it challenging to understand where to begin given a organization’s unique position and needs. Experts suggest starting by mapping existing controls in place against the CSF. Once compliance is achieved, a continuous monitoring plan is critical to maintaining a compliant status.
Even though achieving CSF compliance can take serious consideration and time, many international players have recently begun leveraging the framework, thanks in part to new efforts from NIST.
Recently, NIST officially announced it was expanding its international collaboration and alignment efforts to promote the framework on the world stage (after all, CSF references globally accepted standards, guidelines and practices).
One of these efforts included NIST’s participation in a roundtable discussion with the Brazil-U.S. Business Council during the U.S. visit of Brazilian President Jair Bolsonaro in March. During the meeting, both parties announced increased collaboration and the framework’s translation to Portuguese. (CSF has already been translated to Japanese, Italian, Hebrew, Spanish and Arabic.) In addition, NIST says it will continue to highlight the framework’s international efforts on its website and in public engagements.
We should applaud these efforts.
There’s no reason the industry shouldn’t rally behind a globally accepted set of cybersecurity standards and best practices. As more domestic organizations expand to serve global client bases, they must consider their cybersecurity approaches.
If the industry can agree upon and enforce safety and security standards on things like commercial aviation, or food and drug manufacturing (just to name a few), it can surely do the same for cybersecurity as well.
We can start by becoming and remaining CSF-compliant, encouraging others to do the same as a prerequisite for setting a role model for business best practices and keeping current with NIST updates to the framework.
To help enterprises get started, here are five practical tips to effectively implementing CSF:
Start by understanding your organizational risks.
Define your risk appetite (how much) and risk tolerance (acceptable variance).
Choose the CSF tier that best matches your business and mission (most likely you will end up with several tiers within the same organization).
Map existing frameworks (FISMA, ISO, COBIT) in your environment to CSF based on your business model.
Perform initial gap analysis, then use the findings to decide your CSF strategy.
An alternative is to hire a third-party provider that specializes in governance, risk and compliance to manage and navigate the process.
Looking at the big picture, it is best to plan on integrating CSF into your business as a long-term strategy. CSF is not a one-time, quick checklist, so best to allocate the proper resources to ensure a successful implementation for long-term, effective risk management.
Because best practices matter, taking these first steps are essential. A recent survey by Tech Pro Research found only 28% of 248 IT professional respondents said they have not been a victim of some form of security attack.
What will your organization do to stay safe? Will it continue on with ineffective, point-in-time compliance activities of yesterday, or will it strive to adopt the gold standards set forth by NIST and the framework to keep up with the security demands of today? Hopefully, organizations across the globe will choose the latter, thanks in part to NIST’s recent international efforts.
Baan Alsinawi is the founder and president of TalaTek, an integrated risk management firm in Washington, D.C. and a member of ISC2 and ISACA.