Applicability of the Cybersecurity Framework 🌎️ 

Bottom line: 

1. Cybersecurity risk continues to increase, with no signs of slowing down 
2. Costs of cybersecurity risks continue to grow 

Why? 🤔  

The greatest threat that faces any of us today is the threat of complexity: Trillions of lines of code in billions of devices, with ubiquitous connectivity across the globe.

Dr. Ron Ross, Distinguished Fellow of NIST 

Why Cybersecurity is Hard

#1. Technology is Everywhere, #2. Technology is Inherently Flawed, #3. Technology is Rarely Secure by Default, #4. Technology is Complicated, #5. Cyber is a Dynamic Threat, Not Static, #6. Cyber is a Silent Killer, #7. Economics Drive More Actors and Capability, #8. Early Innings: The Science Isn’t Settled, #9. There is a Skills Shortage, #10. What Did I Miss?

Characteristics of the Framework 📏

Voluntary Framework

The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates.

Flexible, Adaptive

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations. 

The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.

Focus on Risk Instead of Controls

Organizations will continue to have unique risks — including different threats and vulnerabilities — and risk tolerances, as well as unique mission objectives and requirements. Thus, organizations’ approaches to managing risks and their implementations of the CSF will vary.

Focus on Risk Instead of Compliance

https://www.reddit.com/r/cybersecurity/comments/1crxcwi/compliance_isnt_security/

• While compliance with regulations and standards is important, an organization’s goal is first to reduce risk, and to foster a risk-based mindset 
• Next, from that point compliance will naturally follow 

Facilitates Communication and Collaboration

When implementing the CSF, managers will focus on how to achieve risk targets through common services, controls, and collaboration, as expressed in the Target Profile and improved through the actions being tracked in the action plan (e.g., risk register, risk detail report, POA&M)

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

Preparing to create and use Organizational Profiles involves gathering information about organizational priorities, resources, and risk direction from executives. Managers then collaborate with practitioners to communicate business needs and create risk-informed Organizational Profiles.

• Common language and structure for discussing cybersecurity risks, enabling different teams and departments to communicate effectively and align their efforts. 
• This characteristic fosters a culture of collaboration, ensuring that cybersecurity considerations are integrated into various aspects of the organization’s operations. 

Continually Improving and Evolving

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

Transcript

Now that we have some fundamentals in risk management from Chapter 3 and are starting to immerse ourselves in CSF in Chapter 4, we need to start with why. Why do we have CSF? What is its applicability?

In this section, there are two key things you need to remember for the exam. I'll also provide context on why these two things are important.

1. Cybersecurity Risk Continues to Increase:
2. Cybersecurity risk is growing in cost.

Because of these two drivers, we need CSF to help manage these issues.

Why is Cybersecurity Risk Increasing?

To unpack that, let's start with Dr. Ron Ross, a distinguished fellow of NIST, who says the greatest threat we face today is the threat of complexity. Trillions of lines of code in billions of devices with ubiquitous connectivity create a large exposed attack surface. His points about technology being complicated and everywhere are in my top ten reasons why cybersecurity is hard. CSF makes cybersecurity easier.

Top Ten Reasons Cybersecurity is Hard:

1. Technology is Everywhere and Complex:
   1. McKinsey states that every company is a software company. For example, an apple farm relies on software for billing and supply chain management, making it a software company.
   2. The interconnectedness of sensors, servers, and endpoints increases the attack surface in cyberspace.
2. Systems are Inherently Flawed:
   1. All systems fail and are vulnerable. Since 1988, 200,000 vulnerabilities have been discovered in software, and these are just the ones we know about.
3. Technology is Rarely Secure by Default:
   1. Dr. Ross highlights the importance of least functionality, one of his top two favorite controls.
4. Cybersecurity is Complicated:
   1. There are 3,500 vendors in 18 categories in the cybersecurity market, adding layers and complexity to security.
5. Cyber Threats are Dynamic:
   1. Unlike static threats like fire, cyber threats are always changing, creating an innovation arms race between attackers and defenders.
6. Cybersecurity is a Silent Killer:
   1. When your identity is stolen or unauthorized access occurs, it might go undetected for weeks, months, or years.
7. Economics Drive More Actors and Capability:
   1. Cybercrime costs are often cited in the trillions. Whether the correct number is 6 trillion or 1 trillion, it's clear that cybercrime is significant and growing.
8. The Threat is Evolving: We're in Early Innings and the Science Isn't Settled
   1. Cyber threats now impact cars, satellites, IoT, industrial, physical, and consumer sectors. The levels of danger range from hacktivism to crime, espionage, terrorism, and warfare, all occurring on the same IP version 4 Internet.
9. Skill Shortage:
   1. There's a significant shortage of cybersecurity skills, which is why we're here.
10. Other Challenges:
    1. If I've missed any other challenges, let me know.

These points help explain why costs and risks are rising and the importance of CSF. Let's learn more about it in the next video. I'll see you there.