NIST Cited as the Most Popular Security Framework for 2024

This article is available in audio format, click play above to listen to the article. 

Frameworks such as NIST Cybersecurity Framework or ISO 27001 are commonly used as guidelines to help organizations structure their cybersecurity efforts effectively. These frameworks provide a structured approach to managing and improving cybersecurity practices, helping organizations align their security initiatives with industry best practices. Within this article, an extract from the Cyber Security Tribe Annual State of the Industry Report 2024 which cited NIST as the most popular framework used to guiding security practices, we describe in detail why the NIST framework is an effective framework to use.

2024 State of The Cybersecurity Industry Report Results 

NIST Cybersecurity Framework - The most valuable guidance for security practice

The recent release of the NIST 2.0 version of the Cybersecurity Framework. (CSF) has solidified its position as the most valuable guidance for security practices by bringing valuable enhancements and insights to help organizations of all sizes strengthen their security posture. Version 2.0 highlights and emphasizes supply chain management and governance, which are essential for today's connected and interconnected digital ecosystem.

It introduces new tiers for assessing cybersecurity maturity, making it easier for organizations to benchmark and improve their security posture. The update aligns closely with business objectives, ensuring that cybersecurity measures contribute to overall business performance and resilience. AI-driven organizations are not left out, as this revision means a more integrated approach to managing cybersecurity and other business risks, maximizing security and innovation. Although Secure SDLC and App Security were left out of the latest NIST CSF 2.0 version, the significant distinctions between NIST CSF 2.0 and version 1.1 guide security practices are valuable.

Credit - NIST 

The newly introduced and much-needed core function 'Govern' highlights the strategic alignment between cybersecurity and risk management. The updated edition emphasizes the need to manage cybersecurity risks within the supply chain, considering the current digital ecosystem's rising complexity and interconnection.

The CSF 2.0 includes more thorough descriptions of the Tiers, giving organizations more precise direction for navigating from fundamental to sophisticated cybersecurity risk management procedures.

The revised CSF better supports organizations in managing and recovering from cybersecurity incidents with more substantive and thorough guidance on incident analysis, response, mitigation, and recovery. The revised framework acknowledges the interaction between cybersecurity and privacy by proposing the use of the NIST Privacy Framework and the CSF to address privacy issues.

Assessing Which Framework(s) Best Suit Your Organization's Industry, Regulatory and Risk Landscape

A security framework is crucial for safeguarding data and systems as it provides a structured approach to identifying, assessing, and mitigating security risks. Some frameworks are general, while others are directed at specific uses or industries.

Thus, understanding the various frameworks and selecting the proper one or more that meet compliance, industry, and overall risk management needs is essential. The following are some well-known and commonly used security frameworks:

• NIST Cybersecurity Framework 2.0 (NIST CSF 2): Developed by the National Institute of Standards and Technology (NIST), version 2, released on February 26th, 2024, this framework provides guidelines for managing and improving cybersecurity risk. It focuses on six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
• ISO/IEC 27001: An international standard for information security management systems (ISMS) that outlines best practices for establishing, implementing, maintaining, and continually improving an ISMS. Overall, this framework serves as a guideline for continually reviewing the safety of an organization's information toward exemplifying reliability and adding value to the organization's services.
• CIS Controls: Developed by the Center for Internet Security (CIS), offer controls that help prioritize actions to enhance cybersecurity posture, covering areas such as inventory management, secure configurations, and incident response.
• COBIT (Control Objectives for Information and Related Technologies): A framework for governance and management of enterprise IT, aligning IT goals with business objectives and including security as a critical component.
• MITRE ATT&CK Framework: Focuses on threat intelligence, providing a detailed matrix of adversary tactics, techniques, and procedures (TTPs) towards helping organizations understand and defend against specific threats.
  

Assessing and prioritizing which framework best suits an organization's unique industry is critical. The choice of security framework depends on factors such as organizational size, industry, unique operating environment, compliance needs, system/data sensitivity, and specific security needs.

Therefore, a careful selection process should not be based entirely on expert recommendations. Instead, it must depend on due diligence focused on understanding the strategic organization’s needs and achieving reasonable and appropriate governance, risk management, and compliance. Further, there is no one-size-fits-all approach to security, and each framework has its strengths and limitations, so context matters when tailoring your approach.

Organizations vary in complexity and maturity, from small, niche industries to global conglomerates and governments. Hence, researching the available security frameworks and balancing the benefits and drawbacks of each approach is essential. For example, smaller organizations can usually get by with a single carefully selected framework. 

In other words, organizations with more basic needs might opt to become certified in an individual standard such as ISO 27001 (part of the 27000 family) or PCI DSS. In contrast, larger organizations might need multiple or hybrid frameworks to manage information resources comprehensively. Many frameworks have redundant characteristics, enabling security teams to map specific controls to satisfy compliance with various regulatory and industry standards and requirements.

Thus, ensuring the chosen framework aligns with the industry's unique needs helps comply with applicable regulations. For instance, an organization could use a hybrid framework or combination of ISO 27001, COBIT, and NIST 800-53, selecting the controls that best help it meet its business objectives while defending against potential threats and securing its data. Further, organizations could choose framework controls from standards driven by industry compliance requirements. For example, some organizations in the healthcare sector could combine the Health Insurance Portability and Accountability Act (HIPAA) regulatory compliance requirements and NIST SP800-53. ISO 27799 and the Health Information Trust Alliance (HITRUST) framework, referenced where additional detail is required, could also be combined.

Ultimately, the deciding factors that CISOs often use to determine the cybersecurity framework for their security programs revolve around how the frameworks can be integrated into the overall business goals and communicated to organizational leadership. The freely available NIST CSF version 2.0 is especially well suited for ‘communicating with leadership’ tasks as it is easily communicated to the organization's board and executives.

The formerly five, now six, core functions make it easy to explain and understand. They were followed by mapping it out technically to any other framework that drives the organization's policies and the appropriate security budgets and investments. For instance, while it could be cumbersome to measure the return on investment (ROI) on overall information security spending, a CISO could easily explain that the organization may not fully meet the NIST CSF 'Detect' requirements if it does not invest in a SIEM to aggregate monitoring data; thus, showing risks that have been or could have been prevented.