4 critical focus areas for NIST CSF 2.0 implementations

Earlier this year, the National Institute of Standards and Technology (NIST) released version 2.0 of their Cybersecurity Framework (CSF), the first major update to the framework since its creation in 2014. One of the primary reasons NIST updated the CSF is to help organizations enhance their cybersecurity maturity and defense. As the threat landscapes continue to evolve, cybersecurity strategies must also evolve to keep pace. NIST CSF 2.0 helps organizations establish and support a proactive cybersecurity strategy and address the risks relevant to their business.

RSM recently hosted a webcast to educate organizations on how to leverage the updated NIST CSF 2.0 to evolve their cybersecurity maturity. The webcast, “Level up and adapt: Evolving your cybersecurity strategy to align with NIST CSF 2.0,” was hosted by Jason Broz and Chip Stewart, risk consulting directors at RSM US LLP.

According to reports from the FBI, the Identity Theft Resource Center and IBM, while the number of breaches between 2011 and 2023 has gone up at a steady rate, the cost of those breaches has grown exponentially, especially since 2017. The potential financial impact signifies an even greater need for breach prevention than a decade ago and, therefore, a better approach to cybersecurity.

To enhance that approach, RSM detailed four key lessons learned from implementing NIST CSF 2.0 in the webcast.

Taking a proactive defense approach

In the current risk environment, organizations need to assume a proactive defense approach, which RSM’s Jason Broz defined as “the ability to anticipate future issues, needs or changes through implementing continual processes and key activities with the intent to identify and reduce or prevent threats from materializing.”

Proactive defense should include threat intelligence, regular penetration testing and vulnerability scanning, monitoring, cybersecurity awareness training, and behavior-based analytics.

We recommend gauging the frequency of awareness training based on your organization’s needs, as there is a balance between performing training often enough to be effective without overloading your staff or consuming too many resources. However, conducting training upon hire and then annually moving forward is a recommended best practice. Assuming a posture of proactive defense can help your organization stop threats before they happen, respond to and recover from threats more quickly, and overall take better control of managing risk. This can result in significant cost savings.

Taking an evolved approach to cybersecurity

The attack surface has changed drastically over the last few years. With an increase in remote work, cloud resources and software as a service (SaaS)/platform as a service (PaaS)/infrastructure as a service (IaaS) solutions, attackers can target a variety of new technologies. Attacks themselves are also becoming more sophisticated, with an increased use of artificial intelligence (AI) tools to develop, for example, more realistic and convincing social engineering attacks. This leaves organizations needing to adapt to these new technologies and techniques quickly, often resulting in security weaknesses. Organizations’ increased reliance on technology for nearly all elements of their business is part of why the cost of the average cybersecurity breach has spiked so drastically in recent years.

This is where NIST CSF 2.0 comes in. The revised framework recognizes that cybersecurity is applicable not just to a select number of critical infrastructures, but to nearly every organization. NIST CSF 2.0 also acknowledges the greater interconnectivity between business units and between organizations and their suppliers and contractors, as well as the increase in hybrid work and in the distribution of employees across multiple regions and countries. NIST CSF 2.0 is designed to consider these and other evolving needs of organizations looking to adapt to the changing cybersecurity landscape.

Of those who participated in the live webcast, only 12% reported not planning to transition to the NIST CSF 2.0; the rest of the participants either have already completed their transition, are in the process of doing so or plan to do so in the future. The polling results indicate that many organizations recognize the potential benefits of adopting the revised framework.

Understanding changes from previous NIST guidelines

NIST CSF 2.0 includes several changes from the standard’s previous version, NIST CSF 1.1, which was released in 2018. Major updates include the new govern function, an increased focus on vendor/supply chain risk management and an overall broader scope, allowing the framework to apply to organizations of any industry, size and complexity.

NIST has also provided additional resources, such as alignment with other security frameworks and standards, implementation examples, and quick start guides. NIST Special Publication (SP) 800-221 also provides a guide for organizations to align their cybersecurity risk management (CSRM) and enterprise risk management (ERM) efforts. Aligning CSRM and ERM was a priority for many of the webcast participants; over 80% of those polled reported either that they had already incorporated CSRM into ERM, or that they were planning to do so this year.

Aligning your strategy with NIST CSF 2.0

Aligning with NIST CSF 2.0 comes with challenges; in particular, not all of the previous NIST CSF 1.1 controls map directly to the new controls. Your organization will need to perform a gap analysis to determine where you need to increase or broaden efforts to meet new controls which cover a greater scope. We recommended a step-by-step approach:

1. Perform a risk assessment of the current environment to identify risks associated with nonadherence to controls
2. Prioritize the identified risks, considering the likelihood and impact of those risks being realized
3. Develop a remediation road map that lists activities to reduce risks and establish a timeline
4. Implement the road map, developing metrics and measuring performance as changes take place

To support the process of transitioning to the new framework, organizations may want to consider implementing a governance, risk and compliance (GRC) tool. When used properly, a GRC tool can help keep track of metrics and tasks associated with the transition. However, outsourcing this function instead may save your organization time and costs.