Your Guide to NIST CSF 2.0 and Business Risks

How to leverage the new NIST CSF 2.0 to quickly get a handle on business risks. 

Being a new small business has its advantages and disadvantages. It can be a lot easier to see and feel the disadvantages as you are starting to build your new company, (I know I have literally been there) but if you just expand your awareness to see them, the advantages you will find are not insignificant. Opportunities to build the right culture, processes, and leadership style are a few advantages that anyone can capitalize upon. The clean slate a new company has before it couples well with the speed and flexibility to make decisions and pivot quickly.

You might be reading this and thinking, “when do we start talking about security”, the truth is we have been the whole time. Proper security is sort of like wearing the right kind and right size of shoes for the situation in which you find yourself. The security solution that fits poorly may not adequately protect you from the risks and requirements of your situation or may not fit properly with your process. One size security does not fit all. 

The next logical question is, “How do I cobble together a security solution that fits my business?” An excellent question if ever there was one. In years past this question would require hiring a consultant or doing a lot of research. Fortunately, NIST has been refining this into what is known as the CSF or Cyber Security Framework, which is currently on its second iteration. It is an adaptable framework freely available to anyone. It can be followed by non-technical and technical people alike to craft a solution that properly addresses risks in a way that fits the business’ needs. 

(The NIST Cybersecurity Framework (CSF) 2.0, Pg. 5, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf; 03/11/24) 

So you might be saying, “That’s great and all but how do I use that?” Another excellent question. As the old saying goes, for one who sales without a destination port in mind, no wind is favorable, so first you need to get a handle on where you are at. Answering some questions can help you get started.  

Governance is the first question to address. Crafting formally written policies that state what your company will do about security in as much detail as is needed to do so properly from a perspective of accountability to process. Like many things, how you start can determine how you finish, and while you can just implement common controls and clean it up later that approach might lead you to wish you had just written the governance docs to begin with when you are in the middle of mergers and acquisition discussions, or a customer asks for your documentation. It will save you from having to go back and get a handle on it into the wee hours of the morning during that magical time intended by “I’ll do it later…” Just do it, NOW. 

Below is your starting point, straight from the NIST CSF 2.0 guide: 

The CSF Core Functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER — organize cybersecurity outcomes at their highest level.  

• GOVERN (GV) — The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. The GOVERN Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy. 

 • IDENTIFY (ID) — The organization’s current cybersecurity risks are understood. Understanding the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organization to prioritize its efforts consistent with its risk management strategy and the mission needs identified under GOVERN. This Function also includes the identification of improvement opportunities for the organization’s policies, plans, processes, procedures, and practices that support cybersecurity risk management to inform efforts under all six Functions. 

(The NIST Cybersecurity Framework (CSF) 2.0, Pg.  https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf#page=8&zoom=100,93,96, ; 03/18/24) 

If this seems daunting, that’s ok, you will figure it out and once you do you will feel better about where you stand. Once you get past the first two stages you may need expert assistance, and I encourage you to check out our resources on addressing risk, but if you are past the startup phase and don’t have time to do it yourself, definitely seek a professional. One solution that may help is outsourcing the majority of the work to a Managed Security Service Provider. 

Some advice I would offer to anyone in the process is the following: 

  • A lot of people don’t understand that good security can actually improve your bottom line. That’s right, I mean it may MAKE you more money. Implementing processes and capabilities to shore up security can improve operational capabilities. It can also create a selling point for your company as you can tell customers you have a formal security program to address risk…if you are a government contractor this might be a requirement. 
  • If you don’t know what something is…google it. Seriously, look up the definition, watch a few short videos on it if need be, but in this day and age you have ZERO excuse to hide behind. I don’t care what variation on the theme of “I’m not technical” don’t let it stand in your way. 
  • Keep it simple stupid – perhaps one of the best things I have ever seen or heard of is the KISS principle. Overcomplexity is simply not necessary. What you come up with in any part of this process should sufficiently address what is needed and nothing more. A lot of “experts” love to beat the drum of “it’s so complicated” my retort is always “does it have to be?” Sometimes the execution is complex or advanced but those are bridges you can cross when you come to them. There should be very little complexity in describing the governance and identification of risks as a start. 
  • If you need help, ask for it. Once you get a good handle on your first few steps Governance, and Identification, ask an expert for some advice. You may need to get a consultant to help out but at the very lease you should be able to get a short consultation with them to understand their approach.  
  • Here is what I would look for: 
  1. Does this person have a sense of business enablement or are they purely security-focused?  
  • There is a time and a place to focus on technology solutions, but this should be measured by some discussion about business needs. 
  • Because implementing security controls does not occur in a vacuum, see if this expert understands that security MUST support the business by asking open-ended questions and paying attention to the focus of their response. 
  1. Know what you think you will need based on risks you have identified, ask them if there are other areas that you might need help addressing that you may be overlooking. 
  1. Ask them how feel about business risks. Just listen, this will tell you quite a bit 
  • Do they tell you about tools or do they ask about your needs? 
  • Do they focus on just addressing risk or do they ask about business needs and enablement? 
  1. Take notes or record the meeting for reference and jot down your thoughts. 
  1. Seek out webinars and appropriate podcasts for information from recognized experts. 
  • User Identity Management
  • Including Multi-Factor Authentication everywhere possible 
  • Endpoint Protection – preferably advanced 
  • Phishing Protection 
  • End User Security Awareness Training – train people so they don’t fall for social engineering attempts. 

For deeper security 

  • EDR/XDR – ability to detect and respond to threats automatically on servers and user devices 
  • SIEM monitoring (for larger organizations or orgs with larger risks) 
  • Ability to respond to incidents by at least being able to reimage an infected host. 
  • CASB – Cloud Access Security Broker: a tool that can safeguard the company data and users from intentional or unintentional use of cloud applications. 
  • Cyber Insurance policies – having a partner that can map controls to risks and lower insurance costs is a huge win. The extra “i” in Rhiino is what this is all about, we are  Rh“iino” “Invested in Outcomes” which means we maintain the controls so you don’t have to and we bring our insured guarantee along for the ride to pay your larger Cyber policy deductible should you need it (and we can get you connected with the right people and organizations to make that policy happen) 

Great question! Look at the processes in your business that generate revenue with an eye on understanding what role technology plays in supporting or enabling that process. 

  • Where do we store the sensitive information for this process? 
  • Who/what has access to it? 
  • How do we secure that information and access? 
  • Are there people that could be fooled into giving away something they shouldn’t? 
  • How do we secure the various parts of the process that are less technologically enabled? (e.g. wire transfer request, or payment advice/details changes is there a manual out of band confirmation process before funds are sent or payment details are updated?) 
  • How do we handle our devices that touch our data? 
  • How do we ensure that only authorized users can touch our cloud-based resources/apps? 

This should give you a lot of things to think about in crafting your approach to securing your company from risks. The NIST CSF 2.0 is an excellent guide for anyone embarking on such a journey. I wish you much luck and success, and should you need any help please reach out and schedule an appointment with our team of professionals. You can also subscribe to our podcast Security Confidential and browse the extensive library of episodes and you can schedule an appointment with us

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top