For a decade, the Cybersecurity Framework developed by the U.S. National Institute of Standards and Technology (NIST) stood as one of the gold standards that guided how tech and security teams should respond to cyber incidents, especially those attacks targeting critical infrastructure.
Over those 10 years, however, attackers’ tactics and techniques changed while a whole new series of threats emerged that targeted businesses and government entities beyond what is considered critical infrastructure. In response to these evolving situations, NIST worked to improve the framework. After two years of work, the agency released the updated Cybersecurity Framework 2.0 (CSF 2.0) with new best practices and recommendations for tech and security pros.
While originally designed for critical infrastructure, the 2.0 version of the framework is intended to work for nearly any organization regardless of size or market segment. It also incorporates and supports the Biden administration’s National Cybersecurity Strategy released in July 2023.
“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio noted during the February announcement.
For technology and security professionals, the 2.0 version of the Cybersecurity Framework offers numerous ways to improve their skill sets through mastering the details of the framework. By understanding these fundamentals, tech professionals have a chance to improve their organization’s overall security posture as well as set themselves up for career advancement.
“NIST CSF 2.0 expands beyond guidelines for critical infrastructure, highlighting the fact that every enterprise of consequence is now a target. It provides tools for a broader audience,” Andrew Harding, Vice President for Security Strategy at Menlo Security, told Dice.
“The new framework and the implementation guidelines can help teams think at a higher level than the latest alert – it can enable them to engage in a discussion about risk management versus alarms,” Harding added. “This is especially true of teams that have been focused in a single area and now need to consider the network, endpoints and browsers or collaborate with those teams.”
Governance Becomes More Crucial
One of the most significant aspects of the original Cybersecurity Framework is the inclusion of five core functions that can help address a cyber threat and ultimately allow an organization to respond to the threat. These are: Identify, protect, detect, respond and recover.
The 2.0 version adds the term govern to these core functions. The focus on governance is designed to ensure organizations have a more holistic view of cybersecurity. CSF 2.0 demonstrates how a threat affects IT infrastructure and data but also the business as a whole, specifically the risk to finances and reputation.
Cybersecurity experts noted that the addition of the govern core function is a fundamental shift within the framework. It is also an issue that tech and security pros need to brush up on to better understand the changes NIST introduced.
“Over the last few years, greater awareness of the risk cyber incidents pose to organizations has pushed cyber to the forefront as a business priority,” said John Allen, Vice President of Cyber Risk and Compliance at Darktrace.
There are two aspects of risk when it comes to cyber incidents: The likelihood of an incident occurring and the impact suffered should the incident occur... both of which are increasing, Allen added.
“Therefore, the govern function is a welcome and necessary addition to the framework as it supports the inclusion of cybersecurity risk into broader organizational risk communications and integrates cybersecurity risk management into broader enterprise risk management programs,” Allen told Dice. “As the threat landscape evolves, the new govern function will be essential for organizations to successfully manage the shifting risks facing their business.”
Other experts see the addition of govern or governance as changing the way IT and security teams interact with each other as well as the organization as a whole. This requires new approaches, such as learning business functions and improving communication skills.
“With NIST CSF 2.0 adding the ‘governance’ function, there will be an increased emphasis on aligning cybersecurity initiatives with the organization’s mission, the expectations of various stakeholders, and the legal, regulatory and contractual requirements that impact decisions related to managing cybersecurity risks,” Jordan Tunks, Manager for Cybersecurity Solutions at Pathlock, told Dice. “It also involves identifying and communicating essential goals by stakeholders and identifying the capabilities and outcomes that drive cybersecurity best practices from the bottom (security teams) up throughout the organization to high-level business decisions (management teams).”
The focus on governance also means security organizations will need tech professionals versed in subjects such as risk management, asset management and the technical nuances of emerging technologies, said Chad Graham, CIRT Manager at Critical Start.
“Teams will need to foster a deeper understanding of governance frameworks, enhance their technical skills to secure diverse platforms, and develop robust incident response capabilities that encompass a wider range of scenarios, reflecting the framework's evolution to address the complexities of modern cybersecurity landscapes,” Graham told Dice.
Fresh Approaches to Cybersecurity
The CSF 2.0 document also contains numerous other improvements and advice organizations can deploy to improve cyber defenses. These include:
A series of quick-start guides that address cyber issues and threats that organizations, including enterprises and small and mid-sized businesses (SMBs), can deploy as needed.
A greater emphasis on addressing security issues and flaws within supply chains and strategies for better management.
Several new reference guides that allow tech and security pros to reference other NIST documents, while also offering tips and suggestions on how to communicate cyber issues and risk throughout the organization including up to decision-makers in the the C-Suite.
While all these CSF updates have their unique importance, tech professionals need first asses their organization's cyber defenses, posture and risk before adopting these fundamentals, said Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit.
“NIST CSF 2.0 adoption is best performed with a review of changes to the framework, a personal business assessment of how that impacts the organization within various business units and processes, such as audit, SecOps, risk and compliance teams and how to best perform change management - and when - for adoption of version 2.0,” Dunham told Dice. “This change management roadmap must also accommodate linked dependencies and mappings with other frameworks and compliance governance linked to existing controls that may be impacted as a company migrates to version 2.0.”
Menlo Security’s Harding also noted that conducting security assessments is critical to implementing the new NIST framework.
“Teams need to assess unaddressed gaps in their current systems and controls and try to extend defense in depth to the last mile, even for hybrid work and on unmanaged devices. In the end, CSF 2.0 is an important tool, and it also requires teams to think about assessing defenses and approaches that enable more efficient work in addition to operating monitoring systems and conducting analysis and response, especially in the context of browser security,” Harding noted.
Other experts believe, however, that most organizations already have the skill sets they need. The difference is how best to approach more advanced threats such as those within the supply chain.
“Many of the additions to CSF 2.0 were skills already sought or in use by security teams, so there is most likely an insignificant change in the skillsets desired by organizations for their cyber security team members,” said Richard Aviles, senior solution architect at DoControl. “The biggest change is that closer scrutiny for supply chain threats is now more front and center for organizations that seek to adopt or follow the CSF, though it's likely they were already paying attention to this area given the high profile this attack vector obtained in 2023.”