Embracing the Enhanced Potential of NIST Framework 2.0: A Comprehensive Reevaluation of Risk Management

Global Cyberattacks on the Rise

New data shows a significant increase in global cyberattacks over the past few years, with a 38% rise in 2022 alone according to Check Point. This rise in cyberattacks is accompanied by the escalating cost of data breaches, averaging $9.44 million in the United States and $4.25 million globally in 2022. The alarming increase in cyber threats has made preventing cyberattacks a top priority for organizations as they enter 2024.

NIST Updates Cybersecurity Framework

In early August, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework (CSF). This new draft reflects NIST’s inclusive and responsive approach to risk management in order to mitigate the frequency and cost of cyberattacks. As the gold standard for building a robust cybersecurity program and reducing cyber-risk, CSF 2.0 incorporates feedback from Fortune 500 companies who are on the front lines of cyberattacks.

The Importance of Continuous and Quantitative Risk Assessment

Continuous risk assessment lies at the foundation of a robust cybersecurity program. By regularly assessing risks, organizations can gain a deeper understanding of their most critical IT assets, the threats they face, security weaknesses, and the likelihood of those weaknesses being exploited. The Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations conduct cyber-risk assessments regularly to enhance their security posture and meet cyber insurance requirements.

To keep pace with the rapidly evolving cyber threat landscape, automation and AI-based tools are essential. These tools allow enterprises to identify assets, prioritize vulnerabilities, and quantify the likelihood and potential impact of risks. However, as bad actors begin to leverage AI for malicious purposes, it is crucial for organizations to learn how to use it for good. NIST’s updated framework acknowledges the complexity of measuring cybersecurity risk and emphasizes the need for all departments within an organization to invest in and understand the continuous risk assessment process.

Prioritizing Continuous Improvement

The concept of continuous improvement goes beyond simply implementing the next recommended cybersecurity measures. It advocates for a holistic approach to cybersecurity that requires organization-wide support. Cybersecurity is not a one-time fix; it is an ongoing journey that necessitates constant adaptation and enhancement.

NIST’s updated draft introduces a new Improvement category in the Identify function, emphasizing the importance of constantly improving cybersecurity practices. Additionally, the draft includes updates to definitions of implementation tiers and addresses factors such as cybersecurity risk management, governance, and third-party risks. These updates showcase NIST’s commitment to a holistic approach to managing risk.

Strengthening Supply Chain Risk Management

Supply chain attacks have become a major concern in recent years, as demonstrated by high-profile incidents like the SolarWinds attack and the Log4j exploitation. Gartner predicts that by 2025, 45% of global organizations will be impacted by a supply chain attack. These attacks highlight the struggle many organizations face in creating a comprehensive software bill of materials (SBOM) for their applications, leaving them vulnerable to exploitation.

In the updated draft, NIST emphasizes the importance of agility and accuracy in supply chain risk management. It suggests requiring suppliers to provide and maintain a component inventory, which can be likened to an SBOM. Given the critical reliance on supply chains for many organizations, precision in risk management practices is essential for staying ahead of potential attacks.

Enhancing Implementation Examples

Recognizing the need for practical guidance, the updated NIST framework includes additional implementation examples to help organizations applying the cybersecurity best practices outlined in the framework. By providing more real-world and responsive cybersecurity management processes, these additional examples empower Chief Information Security Officers (CISOs) and security leaders to implement effective security measures.

Actionable Steps for CISOs

The complexity of the cybersecurity landscape, combined with tools sprawl, the expanding attack surface, and increasing regulatory pressures, necessitates the use of automated and AI-powered tools. These tools provide a single-pane view of the organization’s security posture, enabling CISOs to adapt and align their organizations with the dynamic nature of cybersecurity in 2024 and beyond. The updated NIST framework offers actionable steps to help CISOs address these challenges and enhance their organization’s cybersecurity practices.

As cyberattacks escalate and the cost of data breaches continues to rise, organizations must prioritize cyber risk management to protect their sensitive data and maintain business continuity. The NIST Cybersecurity Framework 2.0, with its focus on continuous risk assessment, continuous improvement, supply chain risk management, and enhanced implementation examples, provides valuable guidance for organizations seeking to strengthen their cybersecurity programs. However, successful implementation requires not only the involvement of CISOs but also the commitment and investment of all departments within the organization. By adopting these principles and taking proactive measures, organizations can better defend against cyber threats and minimize the potential impact of cyberattacks.

[Disclaimer: The views expressed in this article are solely those of the author and do not necessarily reflect the views of the New York Times.]