Compliance Management

NIST’s Cybersecurity Framework has become the common language for international cybersecurity  

While NIST offers guidelines on when to renew digital certificates, today’s columnist, Ted Shorter of Keyfactor, says companies need to think more about automating certificate management.(Credit: NIST)

All organizations, whether public or private and regardless of where they operate, are working in one of the most chaotic threat landscapes ever witnessed. And now, amid our first global cyberwar, with tensions steadily rising because of the Russia-Ukraine conflict, it’s paramount that those tasked with securing their organization do not turn a blind eye to the likelihood of a breach. Organizations have to face the reality of a breach and remain proactive in uncovering risks, while aligning the necessary strategy and tools to mitigate them.

Regardless of how security teams apply proper diligence in addressing today’s threats, all signs point to now being the time to shore up strategies. In fact, the White House recently released a statement warning of the potential for Russia to engage in malicious cyberactivity against the United States in response to the economic sanctions recently imposed. So, whether you’re concerned with the risks arising from the conflict in Ukraine impacting the organization or whether the time has come to revaluate the company’s security posture—there are some highly credible resources available to help guide these efforts.

The NIST Cybersecurity Framework immediately comes to mind. It offers a clear set of guidelines for addressing and managing cybersecurity risks, based on existing standards, guidelines, and best practices published by NIST. While this framework was originally developed to improve risk management relating to critical infrastructure in the United States, security teams can use it in any sector of the economy or society. NIST clearly states: “organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts, and the framework can contribute to developing a common language for international cooperation on critical infrastructure cybersecurity.”

And why not? Our security objectives share a similar tone regardless of role or location—securing organizations in the most effective way possible. We might as well share relevant tools and information to help us get there. As for the NIST Framework, there are some core uses worth pointing out. Initially, security teams can leverage the framework as guidance to help determine which activities are most important to assure critical operations and to help prioritize investments and maximize the impact of cybersecurity spending. But as with any set of guidelines that a company considers using, getting the most out of them comes down to first defining the organization’s goals.

For example, if the team aims to secure an enterprise that has gone through extraordinary changes from an increase in mobile and remote workers, rapid cloud adoption, or both, the NIST Framework can help prioritize projects or even help guide purchasing decisions—and ultimately reduce risk.

The cloud transformation scenario certainly isn’t uncommon these days, but it comes with major challenges for security practitioners. Traditional network security tools that have long been staples rely on visibility at endpoints in on-premises networks and security teams can no longer leave them to stop every threat. While it’s still important to make the environment as difficult as possible for attackers who come knocking, preventing their entry shouldn’t come at the expense of detecting them when they do. And here’s where NIST can lend a hand.

For practitioners, it’s become a widely useful resource that the industry should share. Statements like the one from the White House and ransomware alerts like this one that was issued as a joint notice from the FBI, CISA, and the NSA need to be taken seriously. We can also leverage them as resources to improve posture as they offer mitigation guidance. While government agencies are required to follow guidelines to protect critical infrastructure, most entities today operate in the private sector. It’s also the case internationally, where cybercriminals are no different and always try to find a way in without regard for how an organization deploys its enterprise. Regardless of the techniques, tactics, or toolkits they use, it’s not our government’s responsibility to stop them—it’s on us as defenders.

Willem Hendrickx, chief revenue officer, Vectra AI

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds