Why cutting corners with NIST CSF implementation leads to poor cyber risk management and investment decisions

BLUF:

• Cyber security program success is often judged by the ability to consistently demonstrate control design and operating effectiveness alongside control coverage over everchanging assets/systems that require protecting.
• Known challenges to NIST CSF implementation are: Defining Target Profiles, Determining Target Implementation Tiers (1-4), Control Design, ongoing Assurance and Maturity Measurement which leads to poor risk management and investment decisions.
• Good opportunity to revisit your NIST CSF implementation with the updated NIST Cybersecurity Framework 2.0, estimated delivery date in December 2024.

The team at the National Institute of Standards and Technology at the U.S. Department of Commerce released the NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework last week. This provides a great opportunity for information security professionals and the wider community to feed into the new workings and workshops. I'd recommend participating in shaping what the future of NIST CSF 2.0 looks like if this framework is relied upon in your organisation.

Back in February 2013 President Obama signed?Executive Order 13636, which first mandated the National Institute of Standards and Technology (NIST) to develop an approach to combat cybersecurity risks against critical infrastructure. One year after the release of Executive Order 13636, on February 12, 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF from here on out).

Shortly after the NIST CSF v1.0 release, when employed by JPMC in London, we quickly began interpreting the framework and updating/enhancing our control framework where it was deemed necessary. This tailored NIST CSF implementation was quickly accelerated during July - Sept 2014 post discovering our major data breach. We learnt very abruptly this framework was a great tool to communicate with regulators and partners on the success (or failure) of the cyber security program. NIST CSF V.1.1 was released (April 2018) with much needed enhancements around risk Supply Chain Risk Management and other refinements based on changing threat landscape.

Since 2014 I've had the privilege to work with many global businesses in their implementation and assurance of NIST CSF as this quickly became the leading framework. This experience included companies within financial services (banks, asset managers, insurers, major market infrastructure, pension funds / superannuation) and other sectors such as retail, energy, mining and infrastructure property.

NIST CSF as a leading framework, opened the door to many unwarranted claims by businesses they align to the framework. One of the common findings is when you look under the hood of cyber risk management for an organisation that claims NIST CSF alignment is the team has often cut corners or taken shortcuts in a number of areas that include 1) Risk Assessments 2) Designing Target Profiles and 3) Determining the appropriate Risk Tolerances reflected in a target Implementation Tier. In turn, this leads to exceptionally poor control design, ongoing assurance nightmares for leadership, decaying lboard trust and maturity measurement not based on material facts or reality (watermelon reporting). The final outcome is poor risk management and investment decisions not aligned to your biggest threats.

At this point I must call out there is a difference between 1) Minimum/Baseline Security Requirements, 2) Achieving Compliance and 3) Being Secure (the latter being the highest target). Set clear expectations on what is being targeted with your cyber security framework. Caveat Emptor: The ideal target state of "Being Secure" comes at a very high cost and in most cases not realistic. The worst case scenario is a company watermelon reporting their cyber security program controls all green to suffice compliance reporting and then suffering a catastrophic data breach, don't be that person.

To elaborate on the poor outcomes I've seen over the years I'll provide some high level overviews over common issues with NIST CSF implementation.

Firstly, many organisations do not follow the recommended "Establishing or Improving a Cybersecurity Program" steps in NIST CSF or record the agreed outcomes, which are:

• Step 1: Prioritise and Scope.
• Step 2: Orient.
• Step 3: Create a Current Profile.
• Step 4: Conduct a Risk Assessment.
• Step 5: Create a Target Profile.
• Step 6: Determine, Analyze, and Prioritise Gaps.
• Step 7: Implement Action Plan.

If you are providing assurance (3LoD - second, third or fourth line) over a NIST CSF implementation make sure these steps are completed or equivalent documentation exists to illustrate the target states and asset profiles. Too often organisations jump into control implementation without understanding the risk environment and/or tolerances of the business. This approach leads to the CFO knocking on the CISO's door to start asking questions about the Cyber Security Program expenditure. If you are trying to establish digital trust with your board follow the establishment steps and document the outcomes, this provides the justification for investment and business priorities.

Often Risk Management is an after thought when implementing NIST CSF. IT Teams may work in siloes and as a result the Risk Management Framework (Enterprise or Operational) may not be considered during the implementation. It may come as a shock but NIST CSF is a risk-based approach to reducing cybersecurity risk composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. If we do not incorporate the Risk Management Framework considerations into the cyber security approach and engage the Chief Risk Officer + their team during the roll-out you are not setting yourself, and your, organisation up to succeed. What are the key risks you are defending against? What are the critical assets and business processes that need protecting? Tailor your framework to your risk, assets and business priorities or suffer poor investment decisions and inadequate risk management. Data Breaches and/or Regulatory pressure will bring this issue to forefront of the Board extremely quickly.

Framework Tiers characterise an organisation’s practices over a range, from Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3) Adaptive (Tier 4). During the Tier selection process, an organisation should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organisational constraints. This is a an important discussion on target state and risk tolerances which should be documented and approved. An organisation may choose to use the Framework Implementation Tiers to articulate envisioned risk management practices and desired state. This approach has been my preferred option as it makes communication of the cyber roadmap that much easier.

Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals. Profiles support business/mission requirements and aid in communicating risk within and between organisations. One of the challenges with earlier versions of NIST CSF, were example templates were not provided for Profiles which has lead to Profiles not being defined or skipped entirely. Does business unit 1 require the same controls as business unit 2, where does it differ? It's great to see in the V2.0 concept paper profiles have been called out as an issue. I'm sure the community will rise to the occasion with well documented examples going forward.

Once Profiles and Tiers have been clearly articulated a Maturity Assessment is conducted is often the next question. Please note that Tiers do not represent maturity levels. Often consultants will measure NIST CSF Subcatergories against an adulterated CMMI 1-5 scale and return a result like 3.25. ?The maturity model which your organisation is being assessed should be more articulate that just a rating from 1-5. In a prior life the team I worked with went to the painstaking effort of defining what 1-5 objectives meant for every single control as this clearly defined the control aspirations and our desired state and what would be possible with further investment (these maturity levels should be revisited with AI and Quantum). Be careful using ordinal scales (rankings 1-5) as these numbers do not accurately add/multiple/subtract/divide as the difference between each variable is not consistent e.g. a result that is not a whole number would indicate poor measurement practices / risk management in my opinion. Rank examples are: Group Captain, Wing Commander, Squadron Leader. You don't have 1/8 of a Group Captain. Cyber security control maturity misstatement, especially overstatement, only strokes somebody's ego and does not help the organisation address business risk (compliance).

When Designing Controls please keep in mind the more control friction you create the higher the propensity a user will circumvent the control rendering it a wasted investment. Automated, secure by design, zero trust principles designed controls that are seamless to the use experience are the utopian state. There has been a trend to invest in heavily in detective controls, rather than preventative, which I always found fascinating. This creates a scenario where you company is openly admitting defeat by not defining appropriate preventative measures upfront to protect your critical assets. Often this decision is based on cost. The Cyber Insurance back stop to breaches and business interruption is closing quickly, I'd advise companies to review and address their control portfolio concentration. What percentage of your framework controls are preventative, detective or reactive? How many preventative controls do you currently operate effectively?

Effective Transformation (or NIST CSF implementation) relies on people and process and technology working in unison. Ask yourself do you have the right people, doing the right things in your team for good governance and assurance over the NIST CSF program you have implemented. There may good technical staff but often it's risk management and business engagement where a cyber security program falls down or fails to communicate effectively to all (internal/external) stakeholders. Relying purely on technical controls leads quickly to disaster, humans are involved and will circumvent technical controls accidently or maliciously.

So next time when you hear "we have rolled out NIST CSF" ask some follow-up questions: did you follow the 7 establishment steps, did you define profiles and tiers? Sadly more often than not, poorly performing or ineffective controls have been "rolled out". A risk-based framework is meant to be tailored the risk on critical assets not a blanket control. Framework refinement and tailoring will allow the prioritisation of resources (which is finite in cyber security). Ruthless Prioritization is a survival skill for Cyber Security Leaders. NIST CSF Version 2.0 is now out for comment, this provides a great an opportunity to refresh your implementation approach through effective leadership, governance and assurance. We have historically performed a bad job in the information security community at articulating the risk adequately to allow effective decision making by business leaders, take this opportunity to improve that.

So Long, and Thanks for All the Fish

MW

???Sections of this article were written using AI, guess which parts.

??The views expressed on social media are mine alone and not those of my employer.