I’ve said it before: fragmented systems are an enemy of data security—largely because they create a similarly fragmented security system that’s too difficult for IT teams to manage, and too easy for data mongers to hack. But in today’s world, where companies are increasingly connected and as-a-Service software creates a level of complexity heretofore unimaginable in to the enterprise, how can companies keep their data safe? It seems one of the strongest options has been sitting right under our noses for quite a few years: NIST CSF.
In 2014, the National Institute of Standards and Technology (NIST) introduced a strategic security framework that would help companies of any size—from your local printer to the U.S. government—get a better handle on keeping its data safe and clean. The strategy, known as the NIST Cybersecurity Framework (CSF), is a scalable and agile system that takes a proactive, offensive approach to cyber safety—quite a new concept for many companies today, which are still working from a fragmented and reactive security mindset.
For instance, in the past, many organizations have adopted a piecemeal, fragmented process to keeping their data safe. They’ve focused on things like firewalls, antivirus technology, and malware software without taking time to assess their companies’ specific assets and needs. Why does it matter? Think about it this way: Imagine you buy a brand new house. The house is huge—so huge you can’t afford to buy any furniture or “stuff” to put in it. But when you go to buy a homeowner’s insurance policy, you spend way too much on a policy that protects your “stuff” rather than the house itself. Such is the case with companies that adopt a wide range of “standard” security measures without taking into account the unique value of their specific systems. They waste money and time—and in the end, they aren’t even keeping their assets safe.
NIST CIF helps companies think in terms of creating a cyber-security “strategy”—one that puts its valuables at the forefront of every security decision. The following are a few reasons I encourage companies struggling to find their “true north” when it comes to data security to consider adopting NIST CIF.
One thing I like about NIST CSF: it uses language anyone in your company can understand, from the C-Suite to the customer service desk. Basically, it centers around a five-step process to data safety: Identify, Protect, Detect, Respond, Recover. And we all know it’s incredibly important to get buy-in from leadershipwhen it comes to cybersecurity. The best way to do that is to explain it in ways they understand.
NIST CSF is a universally accepted framework that meets all government regulations. In fact, Gartner anticipates 50 percent of companies will be using some form of NIST CIF by 2020. In adopting NIST CSF, you don’t just benefit from a proven system of data safety, you also ensure that your system is compatible with your fellow vendors and business associates. It’s a win-win.
OK, NIST CIF has 900 different controls in its framework. I don’t anticipate your company will be adopting all of them. But that’s the thing that makes it so helpful. NIST has already done the brainstorming about which issues your company should consider when creating a security strategy. All your company needs to do is pick and choose which make the most sense for you. Even better: you can easily add others in as your company grows or evolves.
The NIST CSF is a template—it’s a way to plug your own company’s needs into a proven model and determine the best way to keep your systems safe. And when I say “customizable,” I mean you can truly make it your own. The model doesn’t care which type of data your company places value on, it helps you determine which data is most valuable to you and provides a means of helping keep it safe.
It’s Designed for Change
Face it: in today’s tech landscape, technology is changing every single day. The last thing you want to do is marry into a security contract that will be outdated by the time you sign on the dotted line. NIST CSF is designed to be adaptable because it isn’t married to any one type of security measure—be it virtualization security, firewalls, etc. It’s simply a way for you to get your head around what you need to protect, and the best way to do it. As I’ve said before, it’s easy for IT teams to get lost in a mess of security data—but that data doesn’t necessarily equate to intelligence. NIST CSF helps you keep it simple so your teams are spending their times on the most important assets and the most credible threats.
Clearly, there is no magic bullet to data security today. Most companies will face a threat or breach at some point or another. But what I like about NIST CSF is that it helps companies define their cybersecurity strategy in their own terms, acknowledging there is no single solution, but at the same time helping businesses prioritize and simplify in a way that increases the chances of keeping their information safe. And in my book, anything that helps simplify data security is a good investment.
This article was first published on Futurum Research.