Reassessing the Impacts of Risk Management With NIST Framework 2.0

Global cyberattacks have risen sharply over the last few years, increasing by 38% in 2022, according to Check Point. Combine this with the increasing cost of a data breach, averaging $9.44 million in the US and $4.25 million globally in 2022, preventing cyberattacks is at the top of everyone's mind going into 2024.

In early August, the National Institute of Standards and Technology (NIST) shared an update to its Cybersecurity Framework (CSF). The new draft reflects its inclusive and responsive attitude towards risk management for mitigating the cost and frequency of cyberattacks. As the gold standard for building a cybersecurity program and reducing cyber-risk, CSF 2.0 includes feedback from Fortune 500 companies on the front lines of cyberattacks.

To help enterprises keep up with the ever-evolving cyber threat landscape, NIST highlights the following four major themes that have direct business impacts on managing risk. Chief information security officers (CISOs) should keep the following principles in mind as they work to help secure their organizations and reduce cybersecurity risk in 2024.

Emphasize Continuous and Quantitative Risk Assessment

Continuous risk assessment is the cornerstone of a robust cybersecurity program. It is crucial for improving risk posture, enabling organizations to understand their most critical IT assets, the threats affecting them, security weaknesses, and the likelihood of these weaknesses getting exploited. Further, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations conduct cyber-risk assessments regularly to better understand their security posture. And the benefits of these regular assessments can include improving cyber resiliency and meeting cyber insurance requirements.

For organizations looking to implement near real-time risk assessment, automation and artificial intelligence (AI)-based tools are critical for keeping up with the sheer volume of risks. As bad actors begin to use AI for harm, it is critical to learn how to use it for good. Such tools enable enterprises to discover assets, prioritize vulnerabilities, and define the likelihood and potential impact of risks to organizations even as the attack surface evolves.

This recommendation in the NIST updated framework further refines CISOs' deep understanding of the complexities associated with cybersecurity risk measurement. However, the continuous risk assessment process is not up to the CISO alone; investments and buy-in must span all departments of the organization. The entire organization must view this as a means to better use the data it takes in.

Prioritize Continuous Improvement

Creating a culture of continuous improvement is more than just a concept. It emphasizes that cybersecurity isn't just about implementing the next incremental category or subcategory recommended by NIST; it's a journey towards adopting a holistic stance with organization-wide support. For example, the software you patched and secured yesterday may be vulnerable to a new exploit today. So, constant adaptation and improvement are essential to keeping all your surfaces free from attacks that can pop up in a moment's notice.

NIST's updated draft embraces this attitude by introducing a new Improvement category in the Identify function. The draft also includes updates to definitions of the implementation tiers and additional factors, including cybersecurity risk management, governance, and third-party risks. This showcases a more holistic approach to managing risk.

Strengthen Supply Chain Risk Management

Attacks on the supply chain have become a focal point for bad actors over the past few years. Look no further than the SolarWinds attack and the Log4j exploitation. And there aren't any signs of a slowdown, as Gartner predicts that 45% of global organizations will be impacted by a supply chain attack by 2025. These attacks prove that most organizations struggle to create a software bill of materials (SBOM) for their in-use applications, which produces a gap in protection.

In the updated draft, NIST addresses supply chain risk management by warning organizations that agility and accuracy matter. The draft includes an example of contractually requiring suppliers to provide and maintain a component inventory, which could also be described as an SBOM. When so much of your organization's operations depend on the supply chain remaining intact, you must bring precision to the forefront of risk management to better stay ahead of any incoming attack.

Enhance Implementation Examples

While the first draft of the NIST framework included some suggested implementation examples, there were not enough. By adding additional examples, organizations looking to NIST for cybersecurity guidance have additional resources to apply best practices mentioned in the framework. Having as many practical application examples as possible provides CISOs and other security leaders with clear, actionable steps to implement better security measures.

The additional examples included in the updated draft can empower organizations looking to NIST for guidance on cybersecurity to apply best practices. The inclusion of the additional implementation angles shows that NIST is interested in creating a more functional, real-word, and responsive cybersecurity management process.

With increasing complexity and tools sprawl, the ever-expanding attack surface, and increasing regulatory pressures, automated and AI-powered tools that provide a single pane of glass view will be critical. This updated framework provides actionable steps for CISOs to adapt and better align their organization with the dynamic nature of the cybersecurity landscape for 2024 and beyond.