It is “just right”: NIST’s Cybersecurity Framework meets the Goldilocks principle

March 3rd, 2015   /     /   company news, security and compliance

Last month the White House hosted a Cyber Security Summit at Stanford and one of the messages that stuck with me, aside from Tim Cook’s jabs at Apple competitors, was the value of companies adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (Framework). I will be honest, I printed a copy of it with the intent to read through it when it first came out, but I didn’t get past the first few pages before being utterly consumed by OneLogin’s 2014 compliance initiatives.

The Summit re-sold the value of it to me, so I dug it up and was pleasantly surprised by its great content. Now, don’t get me wrong, NIST publishes a lot of good material, but they leave no stone unturned in their publications and that level of depth is sometimes more than you might need. That is not the case with the Framework, at all.

Just right = right level of detail
The Cybersecurity Framework does a good job of providing the right level of detail and it’s clear that it was written to be employed by entities of all sizes. In short, it provides a good starting point for companies that want to “beef up” their cybersecurity programs, as well as a good resource for companies that want to get a second opinion that their program is covering the basics.

One of the key components of the framework is the Framework Core, which provides “scaffolding” that you can use as a guide to manage your cybersecurity risk. The informative references included in the Framework Core provide a good place to start when determining how to tackle the different elements of it.

The Framework Core might be intimidating for smaller companies to tackle, but NIST will most likely release guidance to help address this in the short term and subsequent versions in the long term should be even more approachable. NIST intends for the Framework to be a “living” document, so it’s only a matter of time for these to be released.

How we are using it
OneLogin is leveraging the Framework to verify we haven’t missed any key risk considerations. We invested a lot of time and effort to use ISO 27001:2013 as our “building guide” and several other resources as the “building materials”, but we are now aligning what we have in place with the Framework to make sure we didn’t miss any key considerations.

Adopting the Cybersecurity Framework is a prime example of the agility required in the cybersecurity space. Similar to the Framework, cybersecurity programs should be living programs; subject to constant change and revision in a world of ever changing (and increasing) risks.

About the Author

Alvaro Hoyos is OneLogin’s Chief Information Security Officer and is tasked with architecting and leading the company’s risk management, security, and compliance efforts. Alvaro also works with prospects, customers, and vendors to help them understand OneLogin’s Security, Confidentiality, Availability, and Privacy posture and how it works alongside, or in support of, customer’s own risk management strategy. He has worked over 15 years in the IT sector and prior to joining OneLogin, spent 8 years working with startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy efforts.

View all posts by Alvaro Hoyos