There are many ways to get a cybersecurity program off the ground, but where should you start? This can be intimidating to many IT professionals as cybersecurity has its own language. Frameworks are developed to assist organizations with this endeavor. A framework is used to align a program against best practices. It can also be a set of requirements that one must implement to perform a particular function.

Frameworks do not necessarily tell you how to implement a particular control, only that you should have it in place. For instance, a framework may state that you should implement multi-factor authentication (MFA); however, it may not state how or where to implement it. The framework may state that you ensure proper auditing and logging is configured, but not state how to do it or how long you should keep the logs.

A framework is a document used to help the organization implement best practices. You, or the head of security, may decide that you do not intend...

The NIST CSF is a wonderful cybersecurity framework to start off with. It was meant for organizations that are considered critical infrastructure to assist in implementing cybersecurity controls. Also, it is free to consume. Well, it is not necessarily free – I mean if you are a US citizen, then your tax dollars paid for it to be developed.

Though it was originally written for critical infrastructure businesses, the NIST CSF 2.0 is meant to be easily adopted and used for small to medium-sized, even larger, organizations. The framework was written in such a way that it can be customizable when implemented. As you will see later on in this chapter, organizations that adopted other frameworks migrated to the CSF because they were hard to implement.

As mentioned, the CSF is a framework that is easy to understand, easy to maintain, and easy to score and show progress of how your cybersecurity program is maturing. It also sets you and your organization up for...

The 2000s and 2010s were a mess for IT and cybersecurity. Though the thought of implementing a cybersecurity program was far from people’s minds, the concept started to grow. During the 2000s, we had viruses such as SQL Slammer, Code Red, Blaster, and Conficker, to name a few. These computer viruses wreaked havoc across many organizations, governments, and higher education institutions. When the 2010s came around, we had Stuxnet and Flame. However, in 2013, we began to see ransomware take hold with CryptoLocker.

Due to businesses being hit by malicious payloads, and many not knowing what to do or how to protect themselves, the Obama administration stepped in. In February 2013, the president signed Executive Order 13636, named “Improving Critical Infrastructure Cybersecurity,” directing NIST to develop a new framework for cybersecurity. In 2014, we saw the first edition of the CSF.

The early version of the CSF was aimed specifically...

As mentioned previously, there are several different cybersecurity frameworks to choose from. Each category and subcategory found in the NIST CSF aligns with other frameworks as well. There is an information reference that correlates to every subcategory. Why is that important?

Maybe you received an inquiry about how you and your organization have implemented its security controls. The inquiry is based on ISO or SP 800-53, but wait a minute – you are using the CSF; how can those match up?

There is a matrix for each control and how that aligns with other frameworks. This is to assist in answering questions regarding the CSF as compared with other frameworks. It is also meant to assist you if you decide to adopt a different framework. The point is, if you start off with the CSF and decide to jump to another one, all is not lost. I am not, by any means, saying that you should start with the CSF and then naturally jump to a different framework...

Organizations have the freedom to use and implement the NIST CSF to best fit their needs. The beauty of the framework is in its flexibility in implementing the necessary cybersecurity controls. Plenty of organizations have achieved their goals of reducing overall cyber risk through its use, but do not take my word for it. The following is a set of success stories of other organizations that have implemented the CSF.

Lower Colorado River Authority

Serving the residents of Texas, the Lower Colorado River Authority (LCRA) has a tough job. LCRA ensures water coming from the river is safe to use for the millions of residents of that state. The river authority is considered a critical infrastructure and must ensure that its IT and operational technology (OT) are secured.

LCRA initially adopted NIST’s SP 800-53 to implement cybersecurity controls. Due to its massive size, this caused serious problems with the framework rollout. LCRA required a framework...

In this chapter, we reviewed what a framework is and why it is important. Frameworks were developed to assist organizations in filling in the blanks of building a cybersecurity program. The NIST CSF is a framework that can be applied to your organization with little effort.

As cyber-attacks took hold during the early 2000s, we needed to rapidly increase our security posture. Cybersecurity frameworks were created to assist organizations in doing just that. Many may think that IT and cybersecurity are identical, but they are not. As we learned, cybersecurity has its own language and way of implementing solutions.

As we saw in the success stories, several organizations had come from other frameworks and began to use the CSF due to its flexibility in allowing for agility across multiple business functions.

In the next chapter, we will dive deeper into the CSF and review the framework core, tiers, and profiles. We will then look at how to evaluate and reduce risk. More...

1. Cybersecurity Framework Success Story – Lower Colorado River Authority:

   https://www.nist.gov/system/files/documents/2021/10/26/LCRA%20CSF%20Success%20Story_Comments%20Incorporated%5B53%5D.pdf

2. Cybersecurity Framework Success Story – University of Chicago Biological Sciences Division:

   https://www.nist.gov/system/files/documents/2020/07/23/University%20of%20Chicago%20Success%20Story%20062920%20508.pdf