by Jason Gobbel, Chief Solutions Officer, Kite Technology Group
We’re going to let you in on a secret. For years, we’ve applied the NIST Cybersecurity Framework in our work to secure clients' networks. We’ve rarely mentioned it because NIST has a reputation for being overly complex, or only for government agencies. It’s neither. The framework is actually a valuable tool and can be right-sized for anyone.
What is a Cybersecurity Framework?
The NIST Cybersecurity Framework organizes security controls into 5 core functions: Identify, Protect, Detect, Respond, Recover. When you pop the hood on each function, you discover categories and subcategories which become more technical, providing guidance based on cybersecurity best practices. You don’t need to master this level of detail.
But there are a few tips you should know before adopting a cybersecurity framework, like NIST, to maximize your ROI.
1. Use Cybersecurity Frameworks to Hold Your IT Expert Accountable
When you grasp the key points and purpose of your cybersecurity framework you establish a common vernacular with your IT provider. Then, you’re able to check their policies and procedures against the goals of the framework.
Another way to hold your provider accountable is to ask which peer groups they’re involved with. At Kite, we’re in a group with other IT providers. We open our books to other members who scrutinize our practices and make recommendations.
2. Regulated and Non-Regulated Industries Find Value in Frameworks
With a cybersecurity framework like NIST, obscure requirements can be mapped back to specific categories and sections, providing mechanisms to control risk. It’s granular but flexible and many organizations have incorporated it into their processes. Advisory bodies, like the National Association of Insurance Commissioners (NAIC), use NIST in their recommendations.
3. Frameworks Prove to Clients You Take Cybersecurity Seriously
Sophisticated, larger clients, like banks and law firms, are likely to send you a detailed questionnaire before signing a contract to discover how you’ll protect their interests. We help our clients complete these forms and commonly see questions like:
Are you encrypting emails?
Do you have intrusion and detection systems on the network?
Do you require employees to change passwords?
If you can’t say yes, likely you aren’t going to get that client.
4. You Don’t Have to Check Every Box
Checking every box would be great, but we’d all be broke. Instead, make the framework work for you. Use it to uncover actionable items that will have a significant impact on your security profile.
Use a cybersecurity framework in tandem with risk assessments
The sandwich shop up the street has a different risk profile than someone collecting social security numbers on directors' and officers' application. A cybersecurity framework and an assessment will provide recommendations tailored to your business and exposures relative to your peers and other industries.
5. You’ll Uncover Cost-Effective Security Solutions
Not every step you take toward improving your security profile will be expensive, and your IT provider will work with your budget. When we do risk assessments for clients, we look at all deficiencies and start a conversation about the current state and where we want to go. Then we work out the strategy, which often involves simple additions, like auto screen locking computers.
Plus, everything has a price tag. To really evaluate cost, you need to understand what would happen if you don’t act. Think of security as an investment that protects against the astronomical costs of not securing your systems and data. It’s not $10/user/month for a product, it’s $10/user/month to solve a problem that plagues 60% of businesses.
6. Cybersecurity Frameworks Won’t Solve All Your Problems
Unfortunately, you can do everything in your power to reduce risk exposure, but some things are out of your control. That’s where cyber insurance comes in.
Cyber insurance is a vital part of your strategy. If you own a computer, conduct business online or use email you need a cyber liability policy. Otherwise, you’re stuck paying hourly emergency rates for an IT security professional to do a root cause analysis, threat assessment and exposure assessment.
Work with IT Experts Who Understand Risk
When we partner with a business, it’s about more than security. We care about their business, employees and livelihood. To better serve our partners, we employ people with insurance backgrounds. Their expertise and deep understanding of risk informs actions we take to protect our clients. Contact us to learn more.