By Madison Iler   /   Sep 21st, 2021

Tips for Planning Your 2022 NIST CSF Maturity Gains

NIST CSF maturity imageAt this time of year, we find that many of our clients are making their cybersecurity action plans for 2022, and it’s crucial that you also remember to plan for NIST CSF maturity gains. Planning typically includes a combination of initiatives to:

  • Address known cybersecurity gaps
  • Improve upon existing security controls
  • Increase overall cybersecurity maturity

Sadly, no one can afford to implement all their cybersecurity needs, far less wants, at any given time. So, it’s important for organizations to enhance their cybersecurity each year, and using the NIST CSF (cybersecurity framework) is a great way to help you structure and track your cybersecurity maturity goals.

Creating a Plan to Increase Your NIST CSF Maturity

I’ve written previously about the first element, addressing known cybersecurity gaps. My blog on what to do after your risk assessment discusses risk treatment options, prioritization, risk reduction opportunities, risk acceptance, and maintaining a risk treatment plan for tracking and communications.

This blog focuses on the second element of planning your cybersecurity roadmap: continuous improvement. As organizations plan for 2022, the new year brings a natural opportunity to take stock of your current security posture, consider organizational goals and risk tolerance, and identify areas that may be partially or mostly implemented, but perhaps not yet at your desired maturity level.

LMG Security’s consultants find value in leveraging a cybersecurity controls framework for gap assessment and planning your roadmap, both short and long term. Choosing a framework also allows you to gauge progress over time and supports organizational goal setting and communication. This gives you a path to follow, so you can plan to increase your NIST CSF maturity each year.

What is the NIST CSF?

It is a comprehensive, enterprise-wide framework that consists of industry standard best practices for managing cybersecurity risks. It was designed to be flexible to support organizations of various sizes and industries, making it a solid framework choice for most organizations. Here is a recap of the NIST CSF, but you can visit their website for even more details:

Structure: The framework is organized into five core security Functions: Identify, Protect, Detect, Respond, and Recover. Within each Function are Categories, which describe cybersecurity objectives for each Function. There are 23 categories, such as Asset Management, Access Control, Data Security, and Response Planning. Each Category is then supported by Subcategories, which NIST describes as “outcome-driven statements that provide considerations for creating or improving a cybersecurity program.”

Implementation Tiers: The NIST CSF is organized around four “Tiers,” which provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers are Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive security programs to programs that are agile and risk-informed. The Tier structure can support organizational goal setting and decision-making regarding the management of cybersecurity risk. Organizations may use the Tiers to identify a Current Profile and a Target Profile, which can then support communication and planning for improvements and new initiatives.

Pro Tips for Planning Continuous NIST CSF Maturity Improvements

As you begin your cybersecurity planning for 2022, here are some pro tips to consider that will help your organization enhance your NIST CSF maturity each year:

  • Don’t assume you should have the same Target Tier for each Function. When you set your Target Tiers, you should consider the context of your organization, environment, and cybersecurity priorities. For example, a financial services or insurance company that collects and processes large amounts of sensitive information may prioritize the Protect function, but a manufacturing company or SaaS provider may prioritize the Detect, Respond, and Recover functions if operational uptime is critical. Each organization will have its own priorities, and each year you should plan to upgrade some aspects of your organization’s cybersecurity, so you make continual progress in your NIST CSF maturity.
  • Categories and subcategories are two different things. The NIST Categories are about what you want to achieve, while the Subcategories provide ways to do so. Look at the Categories when thinking about what you are trying to accomplish and evaluating whether your selected controls are achieving your desired outcomes.
  • Resist the temptation to use the Subcategories as a mandatory checklist for each Category. Some Subcategories may be more relevant to your environment or provide more impactful risk reduction than others, so it makes sense to select carefully and prioritize.
  • Maintenance vs. Improvement. If you reach a point where certain controls are implemented as planned and providing your intended outcome, it is ok to focus on maintaining rather than improving. This is often an indicator that you have met (or are close to meeting) your NIST CSF maturity goals in this area. In maintenance mode, we recommend continuing spot checks, audits, and testing to ensure the controls or processes continue to be implemented or followed consistently. Also be sure to revisit the controls in conjunction with any changes to your technologies, services, products, or environment. But if the controls are meeting your organization’s needs, it makes sense to shift attention and resources to other areas that may need further improvement.

Defining Your Organization’s Priorities

If you are still not sure what areas to prioritize, here are a few recommendations from the LMG Security team, with links to previous blogs for more details.

  • Strong authentication should be high on your cybersecurity planning list. This includes long passwords and requiring multifactor authentication wherever possible.
  • Security awareness training is essential for reducing cybersecurity risk. Emphasize phishing awareness and conduct regular phishing tests to gauge the effectiveness of your training program and identify users who may need additional training.
  • Take steps to both prevent and prepare for ransomware, which continues to be a significant threat to organizations of all sizes and across industries.

If this feels like a lot, our team can offer advice, or assessments to gauge your current cybersecurity posture and identifying opportunities for improvements. Contact us if you would like an experienced LMG Security consultant to work through this process with you to identify impactful, actionable ways to reduce risk and improve your organization’s overall cybersecurity posture.

About the Author

Madison Iler

Madison is LMG’s Chief Strategy Officer. She assesses organizations’ compliance with regulatory requirements such as HIPAA, and assesses the strength of their security program and overall security posture using widely-accepted frameworks such as the NIST Cybersecurity Framework. She previously served as a Senior Network Security Engineer for Lockheed Martin in support of the National Science Foundation, Security Engineer for SecureInfo, and Security Compliance Analyst for Raytheon Technical Services. Prior to moving into IT security, Madison worked in IT operations. She has also worked as a management consultant with McKinsey & Company. Madison earned her BA in Economics from the University of Colorado and her MBA from MIT’s Sloan School of Management. She holds her CISSP and HCISPP security certifications.