NIST Cybersecurity Framework
Outsourcing risk monitoring and assessment services can significantly increase the value of those efforts for less than the cost of maintaining full-time employees to monitor and manage risks.
In late March 2016, this article over at Dark Reading discussed the current pattern of shifting from "moment in time" compliance to "continuous conformance" of frameworks. The challenges cited are heavily focused on reports from companies pointing to the prohibitively high-cost of complying with the NIST Cybersecurity Framework (CSF).
Our team has had the opportunity to work with the NIST CSF prior the release of version 1.0 and have been helping companies understand how to interpret and apply it since that time. We know from our experience that the NIST CSF can be looked at as a framework to "implement" but the primary nature of the framework is to facilitate understanding of your maturity along key security disciplines. The value of that exercise is that your organization can use a standard nomenclature that is industry neutral to document and communicate the state of your security program.
This is different from, say, implementing ISO 27001. Control frameworks like ISO, NIST 800-53 or PCI DSS itemize a detailed set of controls that are most certainly costly to implement. However, NIST CSF is a tool to capture an assessment of your maturity of those controls. It is, in a way, the meta-data surrounding the implementation of your controls.
One aspect of security risk management seems to elude many of us in the security profession and that is knowing what we are aiming to accomplish. Implementing ISO or PCI can indeed be costly. It can also be difficult to know when enough is enough and difficult to rationalize a finish line so to speak.
The NIST CSF was designed to give companies with any responsibility of United States Critical Infrastructure (CI) the ability to understand the breadth of relevant concerns and support dialog and communication with others in the hopes of elevating awareness and enhancing security across the CI environments. But even the NIST CSF doesn't help determine what your target state should be. It won't define "complete" or identify a finish line - nor does it attempt to do so.
Implementing security controls and the ongoing focus of security operations is easily over-done and easily under-done. Vast amounts of money have been spent in the name of security only to result in breach after breach; or failures of PCI audits; or material deficiencies that required reporting to the SEC. At the same time, we have worked with complacent or uninformed organizations who put such little effort into security that they have been completely overtaken by attackers that have set up permanent residence using company resources for illegal purposes, fraud, information theft, and other activities without anyone knowing about it.
A relatively small amount of effort and expense can make a big difference in setting goals that are both achievable and prudent for your organization. Time spent analyzing the real risk areas - the problems that matter - can help your team know where to focus their efforts and where to focus their control frameworks.
IOR Insight is making it possible to not only provide the technology to bring these necessary insights into view, but through our service offerings we are also making it possible outsource much of the resource intensive activities of gathering the information necessary to identify risk. We do the heavy lifting to get the inputs and the technology to work for you so that you can pull relevant information to the surface to help you know where to focus your security and risk management efforts. Our industry changing technology uniquely bridges the gap between business activities and the kinds of risk that your organization deems important.