Center for Infrastructure Protection & Homeland Security

A Business Case for the NIST Cyber Security Framework

Richard Tracy, Telos Corporation

In February 2014, the National Institute of Standards and Technology a Cyber Security Framework (CSF) in response to Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity”. Among other things, this EO tasked NIST to develop a Framework to improve the cyber resilience of critical infrastructure systems.  Developed in coordination with industry, the Framework serves a host of important functions.  For owners and operators of firms that deliver critical infrastructure functions, the Framework can serve an important role in developing a business case for cyber security investments.

Executive leaders and corporate boards face a host of challenges as they seek to run efficient and profitable businesses.  Not the least of these challenges is the requirement to assess risk in the cyber environment, make prudent investments and ensure that these investments yield returns on investment in the form of risk reduction.  Viewed in this manner, the NIST CSF plays an important role in the vital business functions of risk assessment, compliance, investment to develop capability, and evaluation of results.  These allow for enhance decision making and improvements to cyber security and resilience.

Some analysts estimate that private industry owns and operates as much as 80 percent of the nation’s critical infrastructure, which spans 16 distinct sectors. [1]

  • Chemical
  • Commercial Facilities
  • Communications
  • Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater

The NIST CSF was specifically developed to address cyber challenges in these critical infrastructure sectors.  However, since it was introduced nearly three years ago many other industries have also come to understand the many benefits that the Framework has to offer.  In fact, the Framework has attracted international interest.

The Framework provides for a common and easy-to-understand language allowing cyber risks to be expressed to a broad and diverse audience, from the server room to the boardroom.  It is this aspect of the Framework that is most valuable.  Specifically, hundreds of detailed security controls (Informative References) are progressively rolled up into 98 Subcategories, 22 Categories, and ultimately 5 lifecycle Functions.  The Framework taxonomy is depicted in Figure 1 below.[2]

It is important to note that the development of the Framework with industry yielded a flexible instrument that can be tailored for a specific sector.  The Framework is designed for use with a wide variety of industry-recognized security control-sets such as ISO 27001, COBIT, ISA, and NIST 800-53 to be used as Informative References.

Viewing these controls through the lens of the Framework offers great benefit to businesses.  Frequently, pure controls compliance exercises lack context.  The Framework offers this much-needed context, allowing business people to understand the benefit of controls compliance, the need for cybersecurity investments, and the value of such investments.

Examining controls compliance (or non-compliance) in the context of easy-to-under understand cybersecurity Functions: Identify, Protect, Detect, Respond, and Recover is extremely beneficial for the purpose of communicating the business benefit of an ISO 27001 audit, as an example. From the perspective of these five functional areas, business people are better equipped to understand cyber security preparedness and resiliency.

Beyond pure controls-compliance, the Framework offers many other residual business benefits as well.  For example, it is possible to relate cyber security investments to the Framework to clearly understand where investments are being made and how these investments improve organizational security posture over time.  More specifically, the Framework makes it possible for leaders to understand and answer questions such as the following.

  • What is the investment balance between the five functional areas? Do your Protect-related investments make sense as compared to your Detect-related investment?  Does it appear that you are over or under-investing in certain Functional areas?
  • Is your firm making redundant cyber security investments within a functional area? Are you over-investing in certain areas?  Could you reallocate certain investments in one functional area to provide needed-coverage in another functional area?
  • What is a good ratio of labor-to-technology investment within each functional area? Could you improve efficiency by investing more in automation vs manual labor?
  • Where are the gaps in your coverage? Are additional cyber security investments potentially required to address compliance gaps that result in unacceptable cyber risk?
  • What is the status of cybersecurity in the company over time? How do incremental investments from one year to the next satisfy critical security controls that improve your organizational security/risk posture?

The answers to questions like these, made possible by the application of the Framework, allow for meaningful cyber security dialog between IT staff, managers, officers, and boards.  Effective risk assessment, prudent investment, monitoring, and adjustment of risk reduction efforts are essential functions for leaders of private sector-firms.  The NIST CSF is an essential guide to making the business case for cyber security investment.

Using the Framework to organize cyber security compliance and investment data allows for cyber security analysis, discussion, and decision making.  Absent such a framework it is difficult to put cybersecurity information into context.  Without context cybersecurity data can often be too technical and is not especially helpful to business leaders.  Business leaders are essential to the cyber risk management process as they need to understand the benefits associated with investing in cybersecurity and controls compliance.  The Framework provides the context needed to allow everyone in an organization to participate in the cybersecurity risk management discussion in a meaningful way.


References

[1] NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (Washington, DC: Department of Homeland Security, 2013), https://www.dhs.gov/sites/default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf.

[2] Framework for Improving Critical Infrastructure Cybersecurity, NIST, February 12, 2014, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.