Catching Up on Innovation With NIST CSF 2.0

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

Jamie Moles, Senior Technical Manager, ExtraHop

June 20, 2024

4 Min Read
Globe in space with cybersecurity symbols floating around it
Source: Skorzewiak via Alamy Stock Photo


The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) could not have come at a better time. Ransomware attacks have already built up a devastating track record on businesses and institutions across all industries in the past year: 58% of respondents to a recent survey experienced six or more ransomware attacks in the past 12 months. This comes among other concerns, including data breaches, generative AI threats, insider threats, and more, proving that cybersecurity needs to be more accessible than ever.

Historically, industry guidance to prevent these attacks was aimed at critical infrastructure or larger enterprises in high-risk industries. But cybersecurity is an "everyone" problem, and many organizations are beginning to catch on to the idea that cyber-risks are just as important as all other business risks. The same survey found that the average incident downtime is 56 hours, and considering that a survey conducted by ABB in 2023 puts the median cost of downtime at nearly $125,000 per hour, this downtime would cost $7 million — per incident. 

NIST's CSF 2.0, released this February, provides an important resource for organizations of all sizes to avoid these far-reaching costs by reexamining their security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

Three Critical Changes Everyone Should Make in the Coming Year

1. Building a New Approach to Securing Infrastructure

The path to securing infrastructure may seem like an obvious route: Get the right tools to detect, defend, and respond to security incidents. But one area organizations often miss, and one of the most significant additions to NIST CSF 2.0, is governance. 

A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more. 

This is especially important for smaller companies with plans to continue scaling. Having a set plan in place to quickly and efficiently react to a potential security breach can alleviate the capital losses that come with the territory: Net income, quarterly earnings, and stock prices all drop significantly after data breaches. An effective plan can possibly reduce those effects.

2. Investing to Fit Specific Business Needs

An organization may choose to handle risk in one or more ways, and this all depends on its specific business needs. NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions. This can feel overwhelming for many organizations, especially as solution providers are continuously innovating and developing new tools.

One universal truth in the industry is that security operations center (SOC) analysts are overwhelmed and resource strapped. AI- and ML-based solutions have arisen as a helpful bridge in combating this industry burnout to effectively manage risk and build business resilience against threats. Additionally, tools that enhance visibility are essential in further securing the attack surface. Despite investments in vulnerability management, endpoint detection and response (EDR), and security information and event management (SIEM) tools, there are many blind spots in the network, cloud, and more that organizations need to address as well.

3. Developing an Organizationwide Approach to Security Hygiene

While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk. While the framework calls out a great number of risk factors, overall cyber hygiene is a critically undervalued part of cybersecurity.

This is an age-old method that works for attackers time and time again, and the costs add up. Luckily, for smaller organizations, they typically perform best on the cyber hygiene bell curve, with midsize organizations lagging behind. But one successful attack can be all it takes to financially destabilize a small organization, as respondents paid an average of nearly $2.5 million in ransom in 2023, and generative AI has only made social engineering attacks easier. 

Taking Advantage of Industry Resources

Though it provides essential guidelines, keep in mind that NIST's CSF 2.0 is meant to be used in conjunction with other frameworks and guidance, and is not a catch-all solution. It's also designed to be customized as an organization grows and evolves.

However, the framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation now that it is designed for organizations of all sizes. This includes understanding how threat actors are advancing and the new tools to defend against them, both of which are essential to building business resilience in the long run.

About the Author(s)

Jamie Moles

Senior Technical Manager, ExtraHop

Jamie Moles is senior technical manager at ExtraHop. He brings more than 30 years of cybersecurity experience helping customers understand and mitigate the risk contemporary threats pose to their business.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights