Using Security Ratings & the NIST Framework for Cybersecurity Maturity

Joel Alcon | January 10, 2017

On February 12, 2013, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called for collaboration between government and the private sector to create a set of standards for organizations to identify, assess, and manage cybersecurity risk. This led to the NIST Cybersecurity Framework (CSF), a way for organizations to manage cybersecurity risk without the need for additional regulatory requirements. According to the Trends in Security Framework Adoption Survey earlier this year by Tenable Network Security, nearly a third of the organizations they surveyed leverage the NIST Cybersecurity Framework, with many respondents viewing it as an industry best practice.

The NIST CSF includes a set of tiers to help characterize an organization’s cybersecurity practices, from Partial (tier 1) to Adaptive (tier 4). This is something that John Wheeler, senior analyst from Gartner, has covered in detail in recent discussions. These tiers reflect the progression of an organization’s cybersecurity maturity, from reactive responses to an agile and risk-informed approach. However, some organizations may find it difficult to understand all areas of their network and adhere to every security control found in the NIST CSF. Fixing compromised machines on the network, identifying security events, configuring systems, and uncovering suspicious user behavior can be a daunting task, while communicating performance trends can be nearly impossible without a way of mapping cybersecurity metrics to security controls.

Looking through the Security Ratings Lens

Organizations are often in the dark when it comes to understanding the cybersecurity posture of critical third parties or even assessing the performance of their own security programs. Information security and vendor risk management teams tend to lack objective metrics that accurately measure cyber risk. BitSight Security Ratings enable organizations to evaluate risk and security performance through the outside-in model used by credit rating agencies. BitSight Security Ratings range from 250 to 900, with higher ratings indicating better security posture. The ratings help organizations verify security questionnaires and assessments, as well as facilitate cybersecurity discussions with senior management or potential vendors. BitSight also enables organizations to map their cybersecurity performance to subcategories of the NIST Cybersecurity Framework, enabling teams to quickly assess whether they adhere to critical security controls. This helps facilitate discussions with key stakeholders.

Maturity and the NIST CSF

Organizations with mature cybersecurity programs have a risk management approach that is informed by business needs and is integrated into an organization’s overall risk management practices. The tiers in the NIST CSF enable organizations to assess their level of cybersecurity maturity and easily share security performance metrics with senior management. The NIST CSF is a great tool for security teams that need to show success metrics or benchmark their performance. By supplementing this data with easy-to-understand security ratings (from Poor, to Intermediate, to Advanced), security and risk teams can have productive discussions with senior management or vendors regarding their cybersecurity performance and how well they adhere to security controls found in the NIST CSF.

For more information about the NIST Framework and understanding the cybersecurity posture of your critical third parties, download this data sheet to learn how BitSight Security Ratings can map to the NIST Cybersecurity Framework.

View Data Sheet

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.