Image by Gerd Altmann from Pixabay

What is NIST?

Over the years, some executives that I’ve spoken with have thought that cyber risk management means buying and installing a bunch of software and hardware products, then leaving everything to the IT department. This image of cyber risk management is wrong.

Yes, you can buy expensive products, yes, your IT department does play a role, but there are so many non-technical areas of cyber risk management that you, as an executive, need to play a part in. Cybersecurity is not a product, it is a journey, and everyone in the company has a role.

Before going into details, let’s talk about the basics. I’m going to introduce you to the NIST Cybersecurity Framework, which stands for the National Institute of Standards and Technology. It was published in 2014 not by the department of defense, but the Department of Commerce here in the United States. The NIST, as an agency, does everything from cybersecurity to things like what the definition of a gallon of milk is. Anyways, by presidential order, the NIST set standards around cyber risk management. While other organizations have done similar things, their process for creating these standards is different in who they ask for help to set them. Instead of sitting in a room with a panel of scholars and discussing for months, the NIST instead went to the private sector for help, acting more as a facilitator or coordinator of the standard. The standard was written by the industry!

The goal of this framework is to help organizations assess and improve their ability to identify, prevent, detect, respond, and recover from cyber-attacks. Those are the five high-level functions. Then there are about 22 activities underneath those. At the third level of detail, there are 98 third-level items. For example, DE.CM-7 is the unique identifier to detect, continuously monitor, and then the seventh sub item under that. Lawyers and engineers use similar systems to this one. I’ll continue with more about the NIST Framework, including a specific example, in the
next post. See you then!

Leave a Reply

thirteen − thirteen =