CREATe.org Releases Insights from Advisory Council Focused on Operationalizing the NIST Cybersecurity Framework

Share Article

New report features insights from the CREATe Cybersecurity Advisory Council about how companies are using the NIST Framework today, guidance and tools that would accelerate broader adoption of it, and ways to help companies utilize the Framework internally and with third party partners

“Our goal with this report is to help identify common approaches companies can take to systematically and cost-effectively apply the Framework internally and among third parties to improve cybersecurity.”

As part of an initiative focused on sharing best practices for cybersecurity, the Center for Responsible Enterprise And Trade (CREATe.org) today launched a report focused on ways companies can operationalize the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), with a goal of accelerating adoption internally and with third parties.

The report - Broadening Adoption of the NIST Cybersecurity Framework: Learnings from the CREATe Cybersecurity Advisory Council about the Key Ways to Help Companies Operationalize Leading Practices for Cybersecurity - features insights from senior cybersecurity, legal, compliance, risk and supply chain experts from corporations and universities around the globe. It addresses how companies are using the Framework today, guidance and tools that would accelerate broader adoption of it, and ways to help companies utilize the Framework internally and with third party partners.

“High-profile data breaches, cyber-attacks and loss of confidential information are putting cybersecurity at the top of corporate agendas,” stated Pamela Passman, President and CEO of CREATe.org. “Our goal with this report is to help identify common approaches companies can take to systematically and cost-effectively apply the Framework internally and among third parties to improve cybersecurity.”

The use of the Framework has expanded since its inception in 2014, with a 2016 report by the information technology research firm Gartner, stating that the Framework was used to some extent by 30 percent of U.S. organizations, and it is expected to rise to 50 percent by 2020.

However, for many companies, a key challenge lies in operationalizing the Framework – that is, using the results of the Framework’s risk assessment to directly improve their cybersecurity program.

The CREATe.org report focuses on four interrelated areas identified and addressed by the Advisory Council:

  • Defining assessment scope: Determining the boundaries when assessing a cybersecurity program is an ongoing challenge. Is the scope enterprise-wide or restricted to headquarters, business units, services, functions or locations? Defining and applying a consistent scope is needed to establish a meaningful baseline and track improvements over time.
  • Improving calibration of results through adding guidance and a maturity scale: Whether an organization is comparing the cyber capabilities of different business units, locations or third parties, it is critical to have a way to compare the results in a calibrated manner. Providing guidance and a defined maturity scale for each of the NIST Framework’s 98 controls improves the calibration of results.
  • Verifying assessment results: Organizations are using a variety of methods to verify the Framework assessment results. Three primary methods were identified and discussed: 1) verifying based on processes and functions used to complete the assessment; 2) peer review to verify by consensus; and 3) verification by an independent internal or external group.
  • Linking assessment results to prioritized, practical improvements: There was a need to bridge the gap between the Framework assessment results and practical implementation. Many organizations, particularly small- and medium-sized businesses, lack the resources and knowledge to operationalize NIST Framework results. This points to a need for tools and resources.

The use of the NIST Framework and its application to driving improved cybersecurity can be enhanced. The CREATe Cybersecurity Advisory Council has focused on, and will continue to address, the four interrelated areas that hold great promise to accelerating adoption: scope, calibration, verification and linkage to improvement.

The report is available to download for free by visiting: http://www.CREATe.org/Resources. For more information, email info@CREATe.org.

About the Center for Responsible Enterprise And Trade (CREATe.org)
This report was developed by the Center for Responsible Enterprise And Trade (CREATe.org), a non-governmental organization (NGO) with a mission to promote leading practices in cybersecurity, anti-corruption, and intellectual property (IP) and trade secret protection.

To achieve our mission, CREATe.org conducts a range of activities – from publishing reports and whitepapers, working with leading practitioners and experts through Advisory Councils, and contributing insights to a range of publications and events – designed to provide practical resources to educate organizations about the leading approaches to managing risk and improving governance and compliance.

CREATe.org launched its wholly-owned subsidiary, CREATe Compliance, to work directly with enterprises on the use of the CREATe Leading Practices services. CREATe works across diverse industries in countries around the world to provide cost-effective and practical assessments, independent evaluations, training and other resources for cybersecurity, anti-corruption, and IP and trade secret protection.

For more information, please visit http://www.CREATe.org and http://CREATe.org Compliance

Share article on social media or email:

View article via:

Pdf Print