Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

CISO Sixth Sense: NIST CSF 2.0's Govern Function

2024 will redefine CISO leadership while acknowledging the management gap.

Shirley Salzman, CEO and Co-Founder of SeeMetrics

March 7, 2024

5 Min Read
Closeup of traffic light with the yellow light turned on.
Source: Kiyoshi Takahase Segundo via Alamy Stock Photo


Cybersecurity leaders are constantly on the hunt for tools and strategies to navigate the complex landscape of digital threats. But despite consistently being held accountable for safeguarding digital assets, chief information security officers (CISOs) have long grappled with a glaring deficiency in their management arsenal: They lack the oversight of their entire operations that would allow them to grasp the big picture while being able to quickly zoom in on what’s critical.

The first version of the National Institute of Standards and Technology's Cybersecurity Framework was developed in 2014 in response to a presidential executive order (EO 13636, Improving Critical Infrastructure Cybersecurity) aimed at helping critical infrastructure organizations mitigate cybersecurity risk. The order directed NIST to work with industry and government stakeholders to create a voluntary framework based on existing standards, guidelines, and practices. The resulting Cybersecurity Framework 2.0 expands its existing five basic functions (Identify, Protect, Detect, Respond, and Recover) and describes the newly included function: Govern.

Integral to the CISO

The introduction of the Govern function signifies a crucial industry acknowledgment that effective management is an integral part of the CISO role. In practical terms, the Govern function bridges a critical gap in the CISO's toolkit, allowing for a more comprehensive approach to management. Previously, CISOs encountered challenges in addressing key questions and concerns that crossed their desks, leading to gaps in their ability to manage effectively. They had no way to answer how well they were enforcing policies, whether they were progressing, or whether their latest investment had a significant impact on overall performance.

For instance, what is the level of readiness against a specific threat? Today, checking on policy enforcement and the health of controls is too often driven by a rumor that a threat is trending. This is a reactive approach that is likely to bear results too late. A more proactive approach means that security leaders have continuous visibility into the performance of a range of controls and programs and can easily gain indications as soon as a policy has been breached. Currently, the process of gathering these data points from various product owners is so frustrating that most CISOs simply give up and live without it. But rest assured that the moment a threat knocks on their door, they will chase this data urgently. Even if it's too late.

The process of new product procurement is yet another example of where effective management has been limited. For example, once a CISO buys a new code protection tool, there is no easy way to confirm its enrollment, unless they ask the team to allocate time to submit a report. Performance is a group of various measurements: Does the tool properly scan? Does it cover all the relevant environments? Is the mean time to resolve (MTTR) sufficient? Are most of the events handled automatically or manually? Does the team face unresolved challenges?

Consider that code protection is only one tool out of a wide range of capabilities, and only within the world of vulnerabilities. Multiply this by dozens of tools and questions across multiple programs. A poor management process costs an organization dozens of months and hours of labor. It is not easily repeatable or scalable.

Empowering Executives With Transparency, Visibility

This lack of visibility into operational aspects means that CISOs essentially are managing in the dark, making informed decision-making and strategic planning difficult. They are left with many tools, many siloed data narratives, and all the pieces to puzzle together to tell a broader narrative.

The Govern function in NIST CSF 2.0 directly addresses these shortcomings, providing a framework for effective management. For Govern to empower CISOs in their management roles, it should embody several key attributes.

First, transparency must become paramount, allowing CISOs to gain insights into the implementation status of controls and assess the level of protection provided by their security measures as an overall story and trend, not tool by tool. For example, the CISO office would establish a policy that a user without multifactor authentication (MFA) who continuously fails phishing training will be blocked from corporate emails. To see if the policy is being enforced, the CISO would need continuous trending data points from two different tools, and these points would need to be correlated on an ongoing basis.

Second, this layer of wisdom needs to be driven by an automated metrics system, not based on spreadsheets. This system would transcend the diverse languages and measurements associated with different tools and programs, ensuring a holistic approach without getting lost in technical jargon.

Third, there's a need for a straightforward method to translate the intricate security stack into terms that are understandable by executive boards. This addresses the increasing need for CISOs to justify ongoing investments amid budget constraints.

Finally, real-time and continuous monitoring of performance is essential, enabling a perpetual view into policy enforcement trends and ensuring that CISOs are not just reactive but proactive in managing and enhancing their cybersecurity measures. Spreadsheets are static moments in time and not operational. CISOs need to take a big leap forward toward streamlined and automated management, just like did for project managers.

In essence, the Govern function is a recognition that effective management is not just an expectation but a necessity for CISOs. With CSF 2.0, CISOs gain their sixth sense to govern, manage, and measure their cybersecurity operations with a new kind of knowledge and insight, and more adeptly, ushering in a new era of proactive and informed leadership.

About the Author(s)

Shirley Salzman

CEO and Co-Founder of SeeMetrics

Shirley Salzman, CEO and co-founder of SeeMetrics, a Gartner-recognized cybersecurity performance management (CPM) platform that transforms the way security leaders measure, track, and improve stack performance. Unlike today's manual processes, SeeMetrics' cockpit-like dashboard instantly answers key questions around performance. Shirley brings over a decade of experience in commercial leadership (Percepto, Contguard, and Logic Industries). Prior to her high-tech career, Shirley worked for global policy and strategy firms such as the German Marshall Fund of the US and the Institute for Policy and Strategy at the Interdisciplinary Center, Herzliya, Israel. Shirley holds an MA with honors in International Security and Non-Proliferation from King's College, London.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights