Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsCyber Tactics ColumnCybersecurity News

Using NIST for Easier Cybersecurity Management

Corporate executives can develop enough expertise to comfortably navigate key cybersecurity risk management concepts

Cyber Tactics
Cyber Tactics
Cyber Tactics
Cyber Tactics
April 1, 2014

In last month’s column, we proposed that cybersecurity is a business necessity that requires C-Suite attention.  Security readers likely agree that thinking of cybersecurity merely as an IT issue “is similar to believing that a company’s entire workforce, from the CEO down, is just one big HR issue.” This month, we will explore how corporate executives, including the owners of small and medium businesses, can develop enough expertise to comfortably navigate key cybersecurity risk management concepts. Most important, there is no need to speak geek or to spend any money.

 

You’ve Heard of the NIST Framework. Now, Use It!

When the National Institute of Standards and Technology (NIST) does something, it tends to go all out. So, when the President of the United States asked (okay, he directed) NIST to develop a cybersecurity framework, the group left no stone unturned.  In fact, over the course of a year, NIST worked with more than 3,000 individuals and organizations on standards, best practices and guidelines before publishing their final document.  The result is freely available at www.nist.gov/cyberframework.  Not including the Appendix, it is only 17 pages long. Surely you can find the time to read 17 pages!  

 

Strengthen Your Core

NIST developed parts of the framework as a roadmap for officer and director engagement. Specifically, the framework identifies five high-level functions to “provide a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines and practices.” 

After gaining an understanding of the five functions, executives might open up the conversation by asking their team these questions:

  1. How do we identify our critical data and services, and the risks associated with them?  (Look for answers involving asset management, governance and risk assessments.)
  2. How do we protect our critical data and services from harm? (Listen for a range of technical, physical and administrative controls.)
  3. What technologies and personnel do we have in place to detect the occurrence of a cybersecurity event that bypasses our protections?  (Consider what aspects of your network activities are continuously monitored, and whether logging activities actually are reviewed.)?
  4. How will we respond to a detected cybersecurity event? (At a minimum, answers should refer to and be gleaned from an Incident Response Plan.)
  5. How would we recover from a cyber incident in a timely manner? (Determine the extent of your business continuity and resilience planning and training.)

 

Tiers for Attention

NIST also proposes that businesses consider a four-tier system to help determine whether their cyber risk management processes, their enterprise-wide integration and their external partnerships are (1) only partial, ad hoc, reactive, stove-piped and insular; (2) risk-informed, prioritized, enterprise-aware and partner-aware; (3) repeatable, formalized, updated and collaborative across the enterprise and with external partners; or, (4) adaptive, continuously aware and continuously improved through lessons learned. 

Although the tier system has the look and feel of a classic maturity model, NIST rejects that term since progression to higher tiers only is encouraged “when such a change would reduce cybersecurity risk and be cost effective.” Phrased differently, just because something can be done to lower security risk, does not mean that the NIST framework requires that it be done.  This approach is quite different, for example, than a standard that would require all technically possible cybersecurity measures be implemented.  Instead, the NIST approach implicitly acknowledges that even a good risk management process can result in a bad cybersecurity event.  The unfortunate truth being that some risks never will be eliminated. Still, although NIST steers clear of requiring specific controls for specific situations, the framework offers little or no refuge to officers, directors or business owners who fail to engage actively and continuously in a detailed evaluative process.

 

Get With The Program

Putting it all together, NIST identifies a seven-step cycle for creating a cybersecurity program. The first step is for the executive team to identify organizational mission priorities, to determine the scope of systems and assets that support the selected business line or process and to make strategic decisions regarding how best to control them. Second, organizations must identify the business dependencies of their systems and assets (and those of third parties), together with legal requirements, threat actor intelligence and identified vulnerabilities.  Third, organizations should create a current profile regarding each of the five high-level “core” functions discussed earlier. Fourth, organizations should conduct a risk assessment that incorporates “emerging risks and threat and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events.”  Fifth, the organization is to develop a target profile of desired cybersecurity outcomes, followed by the sixth stage of determining, analyzing and prioritizing the gaps between the company’s current and target profiles. The seventh step is for the organization to develop and implement an action plan to reduce the gaps.  Then, repeat.

 

Conclusion

If cybersecurity is not already the focus of your C-Suite, it soon will be. Although the benefits of the NIST framework are not limited to the cyber uninitiated, it certainly offers them an excellent place to start.  

 

About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a big-data cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, cyber security assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. 

KEYWORDS: CISO cybersecurity compliance cybersecurity standards NIST cyber security framework

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • It's Time to Change Your Perception of the Cybersecurity Professional

    New ISACA Resources Offer Step-by-Step Guidance for NIST Cybersecurity Framework Implementation Using COBIT 2019

    See More
  • ransomware freepik

    NIST publishes draft cybersecurity framework for ransomware risk management

    See More
  • cybersecurity-blog

    ISF, NIST Partner to Create Online Informative References for Cybersecurity Standards, Frameworks

    See More

Related Products

See More Products
  • 9780128147948.jpg

    Effective Security Management, 7th Edition

  • contemporary.jpg

    Contemporary Security Management, 4th Edition

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!