In an increasingly complex and evolving threat landscape, the NIST Cybersecurity Framework comes along as a set of guidelines that help organizations become adaptable and cyber-resilient in the digital world. In a deep conversation on the 45th Episode of Ticket Volume, our IT podcast, David Moskowitz dived into the basics of cybersecurity and how businesses can use the framework's best practices to their advantage.
Moskowitz, the co-founder and Executive Director of the DVMS Institute LLC, is also the lead author of the Create, Protect, and Deliver Digital Business Value Series. This series includes books like "Fundamentals of Adopting the NIST Cybersecurity Framework" and "A Practitioner's Guide to Adapting the NIST Cybersecurity Framework."
Be sure to listen to the complete episode featuring Moskowitz if you are seeking to strengthen your organization's defenses and protect its digital assets. He gave away excellent tips that you may want to add to your cybersecurity strategies.
Moreover, you can sign up for our monthly live recordings and directly ask any questions during the session.
An Introduction to the NIST Cyber Resilience Framework
As the lead author of “The Fundamentals of Adapting the NIST Cybersecurity Framework” and “A Practitioner's Guide to Adapting the NIST Cybersecurity Framework,” Moskowitz provided an in-depth look at the NIST cyber resilience framework.
On that note, Moskowitz said the two books have distinct objectives. The former delves into the importance of cybersecurity, offering insights into an ever-evolving threat landscape. Meanwhile, the latter provides a practical approach, focusing on the adaptation and implementation of the framework.
Now, this framework, developed by the government organization National Institute of Standards and Technology (NIST), was established in response to an executive order from President Obama in 2014. The NIST's role is to create documentation in various areas, including cybersecurity.
The NIST cybersecurity framework revolves around five essential functions that play a vital role in managing cybersecurity threats:
- Identify - It involves understanding the organization's assets, their value, and the potential risks they face. This includes conducting risk assessments, inventorying hardware and software assets, and identifying vulnerabilities.
- Detect - It engages in establishing mechanisms for identifying cybersecurity events promptly. This covers implementing intrusion detection systems, and security monitoring tools, and conducting regular security assessments and audits.
- Protect - It centers on implementing safeguards to prevent or minimize the impact of cyber threats. This can involve measures such as access controls, encryption, network segmentation, and regular employee training and awareness programs.
- Respond - It hones in on developing and implementing an incident response plan to effectively address and mitigate cybersecurity incidents. This comprises establishing communication channels, defining roles and responsibilities, and conducting drills and exercises to test the response plan.
- Recover - It entails developing and implementing strategies to restore normal operations after a cybersecurity incident. It features data backup and restoration plans, incident documentation, and lessons learned for future improvements.
In this regard, Moskowitz said the level of protection implemented may vary among organizations, depending on factors such as size and the handling of classified information.
Additionally, the adoption of the NIST framework requires a governance decision within an organization. It also involves selecting one or more cybersecurity informative references that best suit their specific needs. These could range from ISO 27000 to other NIST publications like 800-171 or 800-53.
"There are several different informative references in the field of cybersecurity. While it's somewhat outdated, the last update of the cybersecurity framework was in 2018, and they are currently in the process of revising it, referred to as 2.0. The current version is 1.1, but it's a little bit dated because NIST has also updated both 800-171 and 853, resulting in some differences in the control mappings to the core functions. However, the fundamental ideas behind the framework remain unchanged."
Stabilization, optimization, and innovation
A different way to illustrate this is by thinking in terms of stabilization, optimization, and innovation as interconnected concepts that organizations should focus on when it comes to cybersecurity. These concepts are not discrete tiers, but rather built on top of a set of models that provide a practical approach to making them work effectively.
For instance, stabilization consists of making incremental and sustaining changes within an organization. This may require adjusting policies or strategies to ensure that cybersecurity is integrated into the overall business framework. Once the environment is stabilized, organizations will have created a solid foundation for their cybersecurity efforts.
"What happens if what you're doing is dealing with something that requires a change to policy? That's an Adaptive innovation. And if you deal with a change to strategy, that's a disruptive innovation. Now, let's circle back to our discussion on stabilizing, optimizing, and innovating. These are not discrete tiers because part of stabilization can involve incremental and sustaining efforts. However, you may also discover that to stabilize, you need to change policy or strategy. These elements are not separate layers but rather built upon a set of models that provide organizations with a practical approach to make it all work."
Moskowitz predilected governance mechanisms
First of all, we have the digital value management system, consisting of three layers:
- The top layer (black box)
- The middle layer (overlay)
- The bottom layer (system model)
It plays a crucial role in planning and governance at the organizational level. Various departments, such as HR, Finance, and IT, need to plan and govern their activities to ensure alignment with cybersecurity goals. The overlay in the digital value management system helps organizations map their activities to capabilities related to governance, change, and innovation.
Moskowitz added the CPD (Create, Protect, Deliver) model which represents an escalation archetype in systems thinking. It emphasizes the integration of strategy and risk, drawing attention to the value of considering cybersecurity as a business issue rather than a responsibility solely belonging to a separate department.
The solution? Integrating strategy and risk into their overall approach.
This integration empowers organizations to effectively create and protect digital business value, as they proactively identify and address potential risks and vulnerabilities.
Moskowitz believes IT leaders need to consider risk as an integral aspect of their strategy, so organizations can make informed decisions and implement robust security measures to safeguard their digital assets and maintain uninterrupted business operations. This three-layer model enables them to:
- Stay ahead of emerging threats
- Capitalize on opportunities
- Minimize potential risks to their digital ecosystem
In a nutshell, embracing a holistic approach to cybersecurity is an absolute game-changer for organizations in effectively tackling cybersecurity risks. It's all about adopting models like the digital value management system and the CPD one to spot any gaps, make crucial adjustments, and stay one step ahead in the dynamic realm of cybersecurity threats.
This fresh philosophy and framework for cybersecurity equip organizations with a comprehensive and strategic game plan to fortify their digital assets and ensure smooth sailing in the face of any adversity. So, let's gear up and safeguard our digital kingdom with unwavering determination!
This is just a summary of Ticket Volume's episode featuring David Moskowitz. There's a lot more to discover in the recording. Be sure to listen to the full conversation with Matt Beran to learn more about the NIST cyber resilience framework.
You can find the full episode on popular platforms like Apple Podcasts, Spotify, YouTube, or any other podcast platform you prefer. Remember to subscribe if you're interested in joining the monthly live recordings!