NIST Cybersecurity Framework Turns 5

If you are a small business owner or even the manager of a bigger enterprise, the NIST Cybersecurity Framework can help you create a cybersecurity program that works.  The framework is voluntary, which means you can pick and choose the parts that work best for your organization.

When developing your program, starting with NIST can make the process simpler.  You can check out NIST-CSF frequently asked questions first.  Then dive into the Framework itself.

According to NIST, “the Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.”

Any early step is to perform a comprehensive network audit, and identity all the hardware devices that are connected to your network.  The are many free and low-cost tools to help you with this task, or you may decide to hire an outside contractor to do this for you.

Identify any security assets or tools you currently have in place, including the network firewall and end-point security software.

Assess who on your team may need some cybersecurity awareness training.  Running a phishing simulation followed with a training event can be quite effective at bringing your employees up to speed with the new security program.

This is a great beginning for any company looking to put together a more effective cybersecurity program .


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.