It is “just right”: NIST’s Cybersecurity Framework meets the Goldilocks principle

March 3rd, 2015   /     /   company news, security and compliance

Last month the White House hosted a Cyber Security Summit at Stanford and one of the messages that stuck with me, aside from Tim Cook’s jabs at Apple competitors, was the value of companies adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (Framework). I will be honest, I printed a copy of it with the intent to read through it when it first came out, but I didn’t get past the first few pages before being utterly consumed by OneLogin’s 2014 compliance initiatives.

The Summit re-sold the value of it to me, so I dug it up and was pleasantly surprised by its great content. Now, don’t get me wrong, NIST publishes a lot of good material, but they leave no stone unturned in their publications and that level of depth is sometimes more than you might need. That is not the case with the Framework, at all.

Just right = right level of detail
The Cybersecurity Framework does a good job of providing the right level of detail and it’s clear that it was written to be employed by entities of all sizes. In short, it provides a good starting point for companies that want to “beef up” their cybersecurity programs, as well as a good resource for companies that want to get a second opinion that their program is covering the basics.

One of the key components of the framework is the Framework Core, which provides “scaffolding” that you can use as a guide to manage your cybersecurity risk. The informative references included in the Framework Core provide a good place to start when determining how to tackle the different elements of it.

The Framework Core might be intimidating for smaller companies to tackle, but NIST will most likely release guidance to help address this in the short term and subsequent versions in the long term should be even more approachable. NIST intends for the Framework to be a “living” document, so it’s only a matter of time for these to be released.

How we are using it
OneLogin is leveraging the Framework to verify we haven’t missed any key risk considerations. We invested a lot of time and effort to use ISO 27001:2013 as our “building guide” and several other resources as the “building materials”, but we are now aligning what we have in place with the Framework to make sure we didn’t miss any key considerations.

Adopting the Cybersecurity Framework is a prime example of the agility required in the cybersecurity space. Similar to the Framework, cybersecurity programs should be living programs; subject to constant change and revision in a world of ever changing (and increasing) risks.

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos