Cyber Fundamentals: Benefits of the NIST CSF

Cyber Risk Management Chronicles, Episode IV

Image: Lockhaven logo

The CyberSecurity Framework (CSF) was created to solve a pernicious problem – repeated, damaging cyberattacks against US critical infrastructure sectors. The danger was such that President Barack Obama directed a federal agency, the National Institute of Standards and Technology (NIST), to develop a framework to reduce cyber risks to critical infrastructure. It was not an easy task.

Critical infrastructure sectors are incredibly disparate. Nuclear energy, communications satellites, and safe drinking water are all critical infrastructure components, but they are different in many ways. Adding to the difficulty was the fact that each organization was at different stages in their cyber risk management program development. Some had not considered cyber risk at all, while others were gravely worried and had taken measures to protect themselves.

The CSF is a paradigm shift in cyber risk management. It is no mere compliance tool, but rather the definitive framework to address cybersecurity risk at the strategic, operational, and tactical level.
Dr. Jack Dever & James Dever, Lockhaven Solutions

The CSF is a paradigm shift in cyber risk management. It is no mere compliance tool, but rather the definitive framework to address cybersecurity risk at the strategic, operational, and tactical level. When properly executed, it makes one more difficult to attack, minimizes impact when an incident occurs, and provides user-friendly guidance on incident response and recovery. While initially created to protect critical infrastructure, it is now heralded and widely adopted because it provides many benefits, to include:

Risk-based Decisions: Given the large amounts of data with which most companies are entrusted, and the reality of finite resources, it is impossible to protect everything. Therefore, informed decisions must be made as to where efforts should be prioritized. The CSF is risk-based and supports this approach.

Cybersecurity Lifecycle: Cybersecurity is a strategy, not a technology. This strategy must be ongoing and ever evolving in order to effectively address dynamic threat environments. The CSF supports this strategy by providing a cybersecurity lifecycle framework, from the identification of critical data and assets, to understanding threats, building resiliency, and developing effective incident response and recovery strategies. It eliminates the ‘one-off’ security compliance mindset and promotes a holistic, responsive, and adaptive posture.

The CSF provides an approach which does not require a complete re-set, but rather merges with an organization’s current state.
Dr. Jack Dever & James Dever, Lockhaven Solutions

No Requirement to “Start from Scratch”: The CSF provides an approach which does not require a complete re-set, but rather merges with an organization’s current state. It takes advantage of aspects of the program that are well underway while concurrently supporting the development for more nascent parts of the program.

Flexibility to Fit Specific Needs: The CSF is not a “one-size-fits-all” approach to managing cybersecurity risk, rather it is scalable. It is currently used across many industries, domestically and internationally. This flexibility derives from the fact that it is a voluntary, industry agnostic, and risk-based approach. As a result, organizations have total discretion in deciding exactly how it should be deployed to best suit their unique risks, needs and constraints.

Bridging Gaps Between Technical and Non-technical Stakeholders: The fact that the fundamentals of the CSF are easy to grasp, most notably for non-technical professionals, facilitates communication, quick adoption and immediate benefit. This increased communication is even more important as cybersecurity is not solely the province and responsibility of technical professionals such as CIOs and CISOs. Non-technical boards and management play a critical role in developing strategy and governing effective programs.

Developing a Culture of Security: Beyond the board and management, the CSF helps develop shared security awareness and encourages cooperation across all functions, levels, and locations. This assists in developing an integrated cybersecurity risk management approach aligned with strategic goals.

Compliance with Future Regulation: Over the past few years there has been a marked increase in cybersecurity regulatory requirements. This trend is not likely to abate. In order to remain aware and compliant with these changes, it is incumbent to maintain a proactive approach to monitoring new requirements in order to ensure appropriate actions are taken. The flexibility and ongoing lifecycle of the CSF provides the foundation for such an approach.

Trust is paramount for customers who entrust their personal data to organizations and all have an expectation that their data will be protected.
Dr. Jack Dever & James Dever, Lockhaven Solutions

Fulfilling Your Mission: Cybersecurity can be a significant effort and expense. However, successful organizations understand that the value created by proactive and effective cyber risk management activities far outweighs the costs. Significant benefits will accrue with a fulsome adoption of the CSF.

They include:

Maintaining Trust: Trust is paramount for customers who entrust their personal data to organizations and all have an expectation that their data will be protected. If that trust is violated, these individuals may well choose to go elsewhere.
Forecasting Issues and Helping Avoid Catastrophic Events: Organizations that focus on cyber risk management tend to be more proactive as compared to those mired in a reactive cycle. As a result, such organizations tend to have better chances to avoid significant damage from cyber incidents, including financial impacts, reputational, and litigation risk.
Enabling Growth: Cyber risk management is commonly looked upon as a defensive activity that is solely performed to avoid losses. However, during effective cyber risk management, organizations are forced to study their processes and risk factors in detail which can provide significant advantages when new changes to an organization occur. By dint of their cyber risk management programs, organizations have a ready framework that can be deployed in order to better adapt to a changing environment. As a result, the CSF can assist in taking calculated risks and expediting growth.

Authors

Dr. Jack Dever J.D., LL.M., S.J.D.

Dr. Jack Dever J.D., LL.M., S.J.D. is the CEO of Lockhaven Solutions. Jack served as FBI Assistant General Counsel. In this role he advised on cyber operations against nation state actors and global Tier 1 operations against Al Qaeda and affiliate organizations. He was an Assistant US Attorney for the Northern District of Illinois (Chicago). In this capacity he worked on a wide array of cases, including foreign cyber espionage and data exfiltration. Jack served on active duty in the US Army as a Judge Advocate. He deployed multiple times to Iraq, Afghanistan, Bosnia and the Horn of Africa. He was awarded the Bronze Star and Purple Heart Medals. After leaving government service, Jack was an Executive at General Electric where he served as Global Crisis Management Leader. In this role, he developed the Business Intelligence Unit which investigated cyber fraud and financial crime. Jack went on to several enterprise risk leadership roles at several of the world’s largest banks, including GE Capital, Wells Fargo, and UBS. Jack holds a doctorate in Cyber Law. He has lectured extensively at universities, law schools and private institutions. He is Co-Director at the Center for National Security and Human Rights Law in Chicago and has published multiple peer-reviewed articles on Cyber Law, Banking Law, and National Security Law. He remains active in support of Disabled Veterans and underserved communities.

View all posts
James Álvaro Dever, Esq.

James Álvaro Dever, Esq.is a Principal at Lockhaven Solutions. James was a US Air Force Professor of Cyber Warfare. He taught Cyber Law, Intelligence Law, National Security Law, Privacy Law, and Space Law at the Air War College (AWC), Air Force Cyber College (AFCC), Air Force Judge Advocate General’s School (JAG School), Air Command and Staff College (ACSC), and Air Force Research Lab Information Directorate (AFRL), the nation’s premier research organization for Computers and Intelligence. In partnership with AFCC and National Security Agency (NSA) Cryptologic School colleagues, he designed new graduate degree programs in Cyber Strategy for senior military officers and Department of Defense (DoD) civilians. He has provided cyber education to senior government officials and private sector leaders from South America, Central America, Europe, Africa, Australia, and Asia. He served as a US Army Judge Advocate. He was the Cyber Warfare Judge Advocate at Army Cyber Command (ARCYBER) where he provided real-time legal advice on worldwide cyber offensive, cyber defensive, and DoD information network missions. He was Chair of the Law Department at the US Army Intelligence School. He taught Cyber Law, Intelligence Law, and National Security Law to DoD military personnel and civilians. He taught Advanced Source Operations at the HUMINT Training Joint Center of Excellence (HTJCOE), served as a Cyber Law Judge Advocate at the US Army Network Enterprise Technology Command (NETCOM), and was a Cyber Law liaison to the US Army Intelligence and Security Command (INSCOM). Prior to the Army, he worked at Deloitte Cyber Risk Services. At Deloitte, he partnered with the National Institute of Standards and Technology (NIST) and helped create the Trusted Identities in Cyberspace and Privacy Engineering programs. He facilitated cybersecurity risk management for Fortune 100 companies. He has published peer-reviewed law articles and book chapters on Cyber Law, Privacy Law, and National Security Law. He has lectured about enterprise cyber risk management at diverse venues including the Congressional Cybersecurity Caucus, the American Bar Association, NYU School of Law, the US Air Force Academy, and NATO Allied Command. He has taught extensively at universities and law schools. He is Advisory Director at the Center for National Security and Human Rights Law in Chicago and Co-Director, Cyber Risk Management for Executives Program. He is on the Board of Directors at the Journal of Law & Cyber Warfare.

View all posts