Leveraging the NIST Cyber Security Framework (CSF) to Streamline the Information Security Program

By Sam Buhrow, Information Security Cyber Incident Management & Forensics Director, Banner Health

Sam Buhrow, Information Security Cyber Incident Management & Forensics Director, Banner Health

Whether an organization is starting, maturing, or re-organizing their information security program, it quickly becomes apparent that there are no clean lines of ownership or responsibility.  And qualified security practitioners, like any other professional, are resources that should not be squandered.  Yet I still see in the information security industry multiple pockets of individuals, teams, and groups with overlapping work efforts each being pulled in opposite directions and in general creating more risk to the organization. Take, for instance, the broad term “security”.  Ask Information Technology (IT) who is responsible for this, and they will typically say Security.  Modern information security teams will say the business; the business will generally say IT; and the security awareness program and the governance, risk, and compliance (GRC) policies will say security is everyone’s responsibility.  So, how can teams’ disparate resources either be aligned toward a common direction, or have the responsibilities restructured and removed to free up resources?

Over my years in the industry, I have watched different alignments of cyber security areas, tools, and responsibilities operate with mixed results.  When a very small team is charged with “doing security”, there is so much overlap and risks to track that only things on fire are taken care of…when they are found. Mid-sized security teams will usually play “who’s got availability” to “do” the new tool or ensure compliance in a particular area, even if that person or team is not the best qualified for that role.  Large-sized Information security programs will typically have enough resources, but often arise organically, so as the role of information security has evolved, the historic burden of tools and responsibilities have remained in place: for example, firewalls, anti-virus, and two-factor authentication are with the SOC or Incident Response (IR) team, when all they need are the logs.

"Tasks in Detect, Respond, and Recover are typically tactical in nature and success is measured in seconds, minutes, hours, and at most days"

Why?  Because the need for those items grew, and wouldn’t the SOC or IR team want to know if someone or something made it through the firewalls, kicked off AV, or excessively failed 2FA?  Well, yes; and the traditional wisdom goes, “OK, then it’s yours.”  But now the SOC or IR teams spend their time putting out those fires, while also handling their own areas of responsibility, and—for some reason—also spend a lot of their time patching, upgrading, and walking those systems through change management with IT.  

Then, when a large security event, incident, or breach comes along, all the added responsibilities that aren’t their core purpose or function for the organization are shoved to the side or aren’t looked at ‘til the crisis subsides (which should have been an indicator over the years that this wasn’t aligned correctly).  So, what is a solution to this problem?

In February 2014, the National Institute of Standards and Technology (NIST) released its Cyber Security Framework (CSF) updated to version 1.1 in 2018, with the goal of providing a framework for organizations to manage cyber security risk, while aligning under a common vocabulary. The following are examples of typical Information Security Tasks:

• Anti-Virus
• Asset Management
• Business Continuity
• Continuous Monitoring
• Data Loss Prevention
• Data Privacy
• Disaster Recovery
• File Integrity Monitoring
• Governance, Risk, and Compliance
• Incident Response
• Maintenance
• Penetration Testing
• Risk Assessment
• Security Awareness
• Threat Intelligence
• Two Factor Authentication
• Whole Disk Encryption

Who in your organizations security group completes these tasks? Incident Response, GRC, Forensics, SOC, NOC, etc.  And again, what about those areas of overlap?  Who owns “it”? NIST CSF is one way of quickly and clearly aligning roles and responsibilities to job functions.

Below is the same sample of tasks tied to NIST CSF Functions:

• Identify
o Asset Management
o Governance, Risk, and Compliance
o Penetration Testing
o Risk Assessment
o Threat Intelligence

• Protect
o Anti-Virus
o Data Loss Prevention
o Data Privacy
o File Integrity Monitoring
o Maintenance
o Security Awareness
o Two-Factor Authentication
o Whole Disk Encryption

• Detect
o Continuous Monitoring

• Respond
o Incident Response

• Recover
o Business Continuity
o Disaster Recover

What NIST CSF does is help prioritize work efforts and align them to job functions. All of these tasks and more are important to the security posture of an organization, but if we look at the tasks in Identify and Protect, success for these can be measured in months and years: these are generally part of large strategic projects. Tasks in Detect, Respond, and Recover are typically tactical in nature and success is measured in seconds, minutes, hours, and at most days. These are the high-risk, critical-result categories that can make the difference between a minor organizational disturbance and catastrophic losses that are unrecoverable.  Organizations and Information Security leaders should utilize the NIST CSF to help streamline job roles, increase task efficiency, guide “ownership”, and reduce risk to the organization. 

New Editions