Organizations are starting to realize that cybersecurity is a companywide priority, not just a technical challenge for the IT department. Corporate boards, seeing the damage from major breaches over the past few years, have stepped in and placed cyber risk management higher on their list of priorities.
But the perception of their own cybersecurity preparedness still is ahead of reality. As an example, in a recent LexisNexis survey of healthcare leaders, 58% said they believed the security of their patient portals is above average. In the same industry, portal breaches tripled between 2017 and 2018, affecting more than 15 million patients.
The NIST Cybersecurity Framework, while voluntary, is designed to help organizations set standards, guidelines and best practices for their security efforts. As such, it has the potential to bring organizations’ cybersecurity realities in closer alignment with their perception. For companies that know their security programs need improvement, NIST offers a foundation for assessing needs and building a stronger defense.
For those organizations that are new to NIST, a good starting point is to understand the three main components of the framework: implementation tiers, framework core and profiles.
NIST’s goal isn’t to overhaul existing cybersecurity programs. Instead, it sets standards that helps organizations define their current state of cybersecurity preparedness and build on it. The degree to which the program meets the standards is referred to as the implementation tier. The program defines four tiers, as follows:
- Tier 1: Partial implementation
- Tier 2: Risk informed
- Tier 3: Repeatable
- Tier 4: Adaptive
An individual organization does not need to consider the implementation tiers as a maturity level for their program. Instead, they can assess both their current tier and their desired goal, according to organizational needs and priorities.
The framework core organizes the activities and outcomes that make up a cybersecurity program into categories. The categories are aligned with five key functions of a program:
A framework profile describes NIST’s standards in alignment with an organization’s unique objectives and risk prioritization. This profile essentially adapts NIST to the organization’s own context and offers a concrete path for improving the unique set of cybersecurity controls the organization has set in place.
Lunarline has helped organizations of all sizes implement and improve on NIST implementations to solve their most pressing cybersecurity challenges. For more information about how we can help you, contact us today.