The introduction of the NIST cybersecurity framework 1.0 has been both expected and disruptive when it was first created in 2014. This framework has evolved the way many companies think about cybersecurity today. Many swear by it as well. This is why the release of NIST’s updated cybersecurity framework 1.1 is a pretty important event.
However, there are some limitations with this approach to cybersecurity too. In this blog, we will cover the pros and cons of NIST’s new framework 1.1 and what we think it will mean for the cybersecurity world going forward.
Risk-based approach. Since the beginning of cybersecurity, the focus has been on defense. NIST 1.1 shifts the primary focus to risks as the outcome as opposed to just controls. We at Nehemiah Security are evangelists for cyber risk quantification—we mark the risk-based approach in the winner column.
Updating NIST for today’s challenges. NIST 1.0 was launched in 2014 and did a yeoman’s job of outlining security needs within enterprise organizations. This is a fast-moving space, though, and upgrades were overdue. The new 1.1 framework includes important updates that make NIST even more relevant today, including:
- Authentication and identity
- Self-assessing cybersecurity risk
- Managing cybersecurity within the supply chain
- Vulnerability disclosure
Power NIST crowd-sourcing. Many if not most of the changes in version 1.1 came from feedback gathered from users of NIST 1.0. This mentality and approach has assured that; 1) the changes represent high-priorities, 2) the updates are immediately impactful, 3) agendas and personal biases are avoided. This is a win for the entire security community.
Cyber resources. Anyone in the cyber space or anyone who has tried to hire a skilled cybersecurity professional, will know that there is a lack of resources. This process needs automation. There is not much information provided on how companies can automate some of the implementation steps for this framework. As the cybersecurity world continues to evolve and change, automation is key for resource allocation and, as a result, a better security posture.
Business leaders. Can the framework really answer the question “How Are We Doing on Cybersecurity?” Not exactly. By following this framework, organizations are assumed to have less risk but this framework still does not help to measure cyber risk in tangible terms or show any kind of ROI for improvements. Cybersecurity is becoming a business issue more and more. The 1.1 framework is still focused on controls-based approaches, while taking the 1st step in risk.
Overall, we are very excited about the updates to NIST’s framework. As with any regulations, there are always pros and cons in their respective approaches. However, it is important to cut through the steps and decide which aspects you want to keep and which you may want to exclude or modify in your organization’s approach.
Interested in reading more of our blogs? Read about Dealing with Limited Cybersecurity Resources next.