When you see these lyrics, what comes to mind?
Five hundred twenty-five thousand
Six hundred minutes
How do you measure – measure a year?
Hopefully you recognize it as a truly great Broadway hit musical song (from the play Rent), especially since it has been featured in so many uplifting campaigns. But if I were to sing along to the same catchy tune “five standards, twenty two sections, ninety eight objectives…“, might you, as a security professional, connect the dots to the NIST Cybersecurity Framework?
I’ll answer that one for you. And the answer is no, you likely wouldn’t.
The reason is simple. Even this framework, as simple as they made it, doesn’t make it that easy to follow. As you read through it, you won’t find it so clearly boiled down to 5 standards, 22 sections, 98 objections. But those are the numbers. And they are how you measure your success.
Who Implements the NIST Cybersecurity Framework?
According to a survey conducted by Tenable (Trends in Security Framework Adoption Survey):
29% of organizations leverage the NIST Cybersecurity Framework (CSF) and overall security confidence is higher for those using this framework. Additionally, more than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice. It’s also the most likely security framework to be adopted by organizations over the next year.
Okay, so 29% of those who responded to the survey leverage this important framework.That’s great! At least, it’s a great start. But it’s also somewhat like a high school who reports extremely high college entrance exam scores, focusing on those who actually took the tests, knowing that 80% of the graduating class isn’t even college bound and didn’t bother with the measurement. Not to be the glass half empty guy here; just pointing out that we are a long way from where we know we need to be. This is especially
A Clear Call to Action
As we have shown in the image above, getting through 5 standards, 22 sections, 987 objectives (go ahead, sing along if you like), deserves to be boiled down to its simplest form. Simple works. Without simple, people get distracted and goals are not achieved.
This is the domain of today’s new generation of cloud-enabled, user-friendly, Governance Risk and Compliance software. What’s not in that definition are tools such as Excel and PowerPoint, which have proven time and time again that they are not up to the task as GRC software.
As a nation, we need to be strong in our defenses, including those of our businesses. That’s what the NIST Cybersecurity Framework maps best to. As we each do our part (convincingly), things get better…for all of us. Just imagine how much harder it would be for the bad guys if every organization out there practiced and measured up against such levels of security governance. And just imagine how much all the subsequent efforts that are then worked through the GRC program would become.
But it has to be simple. It has to add value. And it has to be user friendly and rewarding at a personal level, which is something that legacy GRC platforms have been notoriously bad at for many years now.
So, five hundred twenty-five thousand six hundred minutes from now, how log ago will you have reached this goal and generated the discretionary free time to succeed at the next one. ISO27001, perhaps?