Home  /  Omar posts

Omar

3 Tips for implementing the NIST Cybersecurity Framework CSF

 

Each day more Organizations, regulators, and Governments adopt The NIST Cyber Security Framework to reduce cyber risks. The CSF is the fastest to be adopted worldwide because of its simplicity, effectiveness, and flexibility. The framework is developed to enable organizations to control cyber risks on the top management level without understanding complex security terms and skills.

Here are some tips to help you approach the implementation of the CSF in a simplified way.

The Approach:

The NIST CSF is not meant to be a checklist for compliance. Many standards define the (How & How much) in cybersecurity, including the ISO 27001, PCI-DSS, COBIT, ISA, etc. The NIST is meant to represent the “What.” The main benefit of the CSF is to make sure that Cyber Security is aligned with the organizational strategy and goals. In addition, the CSF enables executive management engagement and guides the implementation of security measures to be effective.

The CSF is Iterative

The CISO should implement the NIST Cyber Security Framework to stay alive. After its first round of implementation, it should keep evolving to take the organization through the required cybersecurity maturity levels & growth and development plans later.

Where to begin:

It is recommended to define first the different organization profiles. Organization Profiles include the client interface to the organization, the threats and vulnerabilities, and supplier management.

For each defined profile, the framework core is assessed to determine the tier for each category and subcategory under the CSF Core.

The list of references points to each of the subcategories’ list of standards related. This makes it easier for organizations with already implemented ISO 27001 and PCI DSS standards to manage the framework.

The tiers for each subcategory and category then determine the organization tier. Tiers are not meant to be maturity levels, so if your organization is level 3 on one of the subcategories, it might be unnecessary to adopt level 4. Some of the risks would not be significant enough for an organization to develop a level 4 considering the investment needed to reach that level.

Finally,

The CSF implementation is not a “one size fits all” approach. It is also very critical not to try to solve everything at once. Instead, the CSF implementation should spotlight the organization’s risk tolerance and enhance the C-Suit managers’ involvement in cybersecurity decision-making. The proper implementation of the framework should also help the CISO build business cases for different initiatives and guide the roadmap to cyber resilience.

 

read more

Application Security Webinar

Join Us!
Extend Right how to overcome the Pitfalls in your Application Security and Fasten SDLC is almost here!
Register Now!

See you on May 25, 2021!

read more

Cybersecurity Economics Webinar

What are the economic drivers that influence cybersecurity? …

How can threats be mitigated by addressing the real economic problem?…

While many Information Security Experts think of cybersecurity as a technical problem, this webinar will show a different aspect of the security decision making process.  Usually a security risk mitigation almost always comes down to be cost and investment decision.

Security failures are often caused by bad business decisions. This webinar provides an introduction to the field of  economics of cybersecurity. without going deep into economic concepts the webinar is designed to discuss the measurement approaches and data analytics to make better security decisions.  Engage confidently with management on cybersecurity challenges.

Agenda
Introduction to the field 
-	Economics of information goods
Measuring cybersecurity
-	What to measure?
-	Security metrics
-	Data collection and processing
Market Failures and Policy
-	Policy Interventions to Correct Market Failures
The Human Factor
Conclusion 
-	Security economics and policy

 

 

read more

Do we even have a good CISO?

I have to admit this, I am a sucker to success, talent, and professionalism. Who wouldn’t be? Right?

I am always pleased to talk to a successful executive, or hear from a talented person about his/her passion and profession. I am always amazed by a woman director or manager who is working against the odds of culture, and achieving success on both career and personal fronts. Maybe because I have a daughter who is still starting her way as a college girl and I can’t help it but to wish for her all the best on all frontiers.
(more…)

read more