NIST Cybersecurity Framework Turns 5

If you are a small business owner or even the manager of a bigger enterprise, the NIST Cybersecurity Framework can help you create a cybersecurity program that works.  The framework is voluntary, which means you can pick and choose the parts that work best for your organization.

When developing your program, starting with NIST can make the process simpler.  You can check out NIST-CSF frequently asked questions first.  Then dive into the Framework itself.

According to NIST, “the Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.”

Any early step is to perform a comprehensive network audit, and identity all the hardware devices that are connected to your network.  The are many free and low-cost tools to help you with this task, or you may decide to hire an outside contractor to do this for you.

Identify any security assets or tools you currently have in place, including the network firewall and end-point security software.

Assess who on your team may need some cybersecurity awareness training.  Running a phishing simulation followed with a training event can be quite effective at bringing your employees up to speed with the new security program.

This is a great beginning for any company looking to put together a more effective cybersecurity program .


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.