Using Security Ratings & the NIST Framework for Cybersecurity Maturity
Joel Alcon | January 10, 2017
On February 12, 2013, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called for collaboration between government and the private sector to create a set of standards for organizations to identify, assess, and manage cybersecurity risk. This led to the NIST Cybersecurity Framework (CSF), a way for organizations to manage cybersecurity risk without the need for additional regulatory requirements. According to the Trends in Security Framework Adoption Survey earlier this year by Tenable Network Security, nearly a third of the organizations they surveyed leverage the NIST Cybersecurity Framework, with many respondents viewing it as an industry best practice.
The NIST CSF includes a set of tiers to help characterize an organization’s cybersecurity practices, from Partial (tier 1) to Adaptive (tier 4). This is something that John Wheeler, senior analyst from Gartner, has covered in detail in recent discussions. These tiers reflect the progression of an organization’s cybersecurity maturity, from reactive responses to an agile and risk-informed approach. However, some organizations may find it difficult to understand all areas of their network and adhere to every security control found in the NIST CSF. Fixing compromised machines on the network, identifying security events, configuring systems, and uncovering suspicious user behavior can be a daunting task, while communicating performance trends can be nearly impossible without a way of mapping cybersecurity metrics to security controls.
Looking through the Security Ratings Lens
Organizations are often in the dark when it comes to understanding the cybersecurity posture of critical third parties or even assessing the performance of their own security programs. Information security and vendor risk management teams tend to lack objective metrics that accurately measure cyber risk. BitSight Security Ratings enable organizations to evaluate risk and security performance through the outside-in model used by credit rating agencies. BitSight Security Ratings range from 250 to 900, with higher ratings indicating better security posture. The ratings help organizations verify security questionnaires and assessments, as well as facilitate cybersecurity discussions with senior management or potential vendors. BitSight also enables organizations to map their cybersecurity performance to subcategories of the NIST Cybersecurity Framework, enabling teams to quickly assess whether they adhere to critical security controls. This helps facilitate discussions with key stakeholders.
Maturity and the NIST CSF
Organizations with mature cybersecurity programs have a risk management approach that is informed by business needs and is integrated into an organization’s overall risk management practices. The tiers in the NIST CSF enable organizations to assess their level of cybersecurity maturity and easily share security performance metrics with senior management. The NIST CSF is a great tool for security teams that need to show success metrics or benchmark their performance. By supplementing this data with easy-to-understand security ratings (from Poor, to Intermediate, to Advanced), security and risk teams can have productive discussions with senior management or vendors regarding their cybersecurity performance and how well they adhere to security controls found in the NIST CSF.
For more information about the NIST Framework and understanding the cybersecurity posture of your critical third parties, download this data sheet to learn how BitSight Security Ratings can map to the NIST Cybersecurity Framework.