Cybersecurity Risk & StrategySecurity Transformation
Article3 minute read

NIST Cybersecurity Framework 2.0 Adds Governance to Emphasize Risk

NIST has revised the popular security framework for the first time since its release. The latest update expands to include the importance of managing cybersecurity risk effectively.

In this article

Cybersecurity constantly evolves, necessitating robust frameworks that guide organizations in safeguarding their digital assets. Among the prominent frameworks, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), International Standards Organization (ISO) 27001 & 2, and the Center for Internet Security (CIS) 18 are noteworthy for their influence on contemporary cybersecurity strategies. These frameworks offer comprehensive best practices for managing cybersecurity controls, contributing to the fortification of digital defenses.

 Cybersecurity Frameworks

These commonly adopted frameworks bring distinct attributes to the table:

  • NIST CSF is a voluntary, adaptable framework comprising five functions: Identify, Protect, Detect, Respond, and Recover. Its flexibility allows customization to specific organizational needs.
  • ISO 27001 & 27002 present a prescriptive approach, facilitating the establishment of an Information Security Management System (ISMS).
  • CIS 18 features 18 critical security controls, offering a user-friendly set of guidelines for countering prevalent cybersecurity threats.

Each framework boasts unique strengths while addressing specific organizational requirements. The NIST CSF is malleable, catering to diverse needs. ISO 27001 & 2 enforces compliance with regulations through its structured approach. Meanwhile, CIS 18 concentrates on thwarting commonplace cybersecurity threats. However, CIS 18 and NIST have lacked the governance elements in ISO 27001. The introduction of NIST CSF 2.0 has addressed this gap by incorporating a governance function.

 NIST CSF 2.0 Governance Function

NIST's CSF 2.0 marks a significant milestone by introducing a new governance function, enhancing its holistic approach to cybersecurity. This function empowers organizations to establish a sturdy cybersecurity foundation by implementing policies, procedures, and processes vital for managing cybersecurity risk effectively.

The governance function comprises four critical categories:

  1. Organizational Context: This category delves into the organization's mission, vision, values, and risk tolerance. It also explores the organization's governance structure and cybersecurity strategy interplay.
  2. Risk Management Strategy: The focus is aligning risk management with overarching business objectives. It outlines the approach to identifying, assessing, and mitigating cybersecurity risks
  3. Policies and Procedures: This category outlines creating and implementing policies and procedures supporting the cybersecurity risk management strategy. It also addresses training, incident response, and continuous improvement methodologies.
  4. Roles and Responsibilities: Defining and assigning cybersecurity roles and responsibilities within the organization and communication and collaboration strategies are covered.

 Significance 

The governance function within NIST CSF 2.0 is pivotal, offering organizations a blueprint for erecting a resilient cybersecurity foundation. By embracing this function, organizations bolster their capacity to manage cybersecurity risks and shield critical assets, further amplifying their cybersecurity posture.

Incorporating the governance function in NIST CSF 2.0 is a welcome addition. It aligns CSF with the global drive to enhance cyber risk management transparency to boards and senior leadership. The integration of governance across all five core functions underscores its foundational importance. It addresses privacy, cybersecurity, and digital supply chain challenges, embedding these considerations within the broader scope of enterprise risk management.

NIST CSF 2.0 facilitates improved communication within cybersecurity organizations. It guides the elevation of cyber risk discussions from specifics to strategic conversations, encouraging a culture of constructive inquiry. The framework's explicit guidance on enhancing communication practices supports this shift from a mysterious art to a fully integrated organizational function.

To augment your organization's cybersecurity posture, NIST CSF 2.0 warrants serious consideration. The governance function extends the framework's capabilities, facilitating effective cybersecurity control management akin to the ISO ISMS methodology. 

Partnering with WWT can amplify your cybersecurity endeavors through their experienced Field CISO Team, strategic alignment with best-of-breed technologies, and comprehensive testing and exercises in their Cyber Range and ATC

Adopting such advanced frameworks in a digital age where safety parallels commercial priorities becomes imperative.

Build alignment, reduce risk and deliver value
Read report