NIST’s Cybersecurity Framework has become the common language for international cybersecurity ￼
All organizations, whether public or private and regardless of where they operate, are working on one of the most chaotic threat scenarios ever seen. And now, in the midst of our first world cyber war, with tensions constantly rising due to the conflict between Russia and Ukraine, it is crucial that those in charge of ensuring its organization do not turn a blind eye to the likelihood of a violation. Organizations need to address the reality of non-compliance and be proactive in uncovering risks, while aligning the strategy and tools needed to mitigate them.
Regardless of how the security teams apply due diligence to deal with current threats, all indications are that now is the time to step up strategies. In fact, the White House recently issued a statement warning of Russia’s potential to engage in malicious cyber activity against the United States in response to recently imposed economic sanctions. Therefore, whether you are concerned about the risks of the conflict in Ukraine affecting the organization or whether it is time to re-evaluate the security position of the company, there are some highly credible resources available to help guide these efforts.
The NIST cybersecurity framework immediately comes to mind. It provides a clear set of guidelines for addressing and managing cybersecurity risks, based on existing standards, guidelines and good practices published by NIST. While this framework was originally developed to improve critical infrastructure risk management in the United States, security teams can use it in any sector of the economy or society. NIST makes it clear: “Organizations outside the United States can also use the framework to strengthen their own cybersecurity efforts, and the framework can help develop a common language for international cybersecurity cooperation on critical infrastructure.”
And why not? Our security goals share a similar tone regardless of function or location: to protect organizations as effectively as possible. We may also share relevant tools and information to help us get there. As for the NIST framework, there are some basic uses that are worth noting. Initially, security teams can leverage the framework as a guide to help determine which activities are most important to ensure critical operations and to help prioritize investments and maximize the impact of cybersecurity spending. But, as with any set of guidelines that a company considers using, getting the most out of it comes down to defining the goals of the organization.
For example, if the team aims to secure a company that has undergone extraordinary changes as a result of an increase in mobile and remote workers, a rapid adoption of the cloud, or both, the NIST framework can help prioritize projects. or even help guide purchasing decisions and ultimately reduce risk.
The cloud transformation scenario is not uncommon these days, but it does pose major challenges for security professionals. Traditional network security tools that have long been basic depend on visibility at endpoints on local networks, and security teams can no longer stop them from stopping all threats. While it’s still important to make the environment as difficult as possible for touching attackers, preventing them from entering shouldn’t be at the expense of detecting them when they do. And this is where NIST can lend a hand.
For professionals, it has become a very useful resource that the industry should share. Statements like the White House and ransomware alerts like this that were issued as a joint warning from the FBI, CISA, and the NSA must be taken seriously. We can also use them as resources to improve posture, as they offer mitigation guidance. Although government agencies must follow guidelines to protect critical infrastructure, most entities currently operate in the private sector. This is also the case internationally, where cybercriminals are no different and always try to find a way to enter regardless of how an organization deploys its business. Regardless of the techniques, tactics, or toolkits they use, it is not our government’s responsibility to stop them; it is up to us as advocates.
Willem Hendrickx, Revenue Director of Vectra AI