NIST CSF 2.0: Because an Ounce of Prevention Beats a Pound of Cure

by | Mar 4, 2024

Last August I wrote about how a failure to observe simple cyber hygiene, and the prioritization of convenience over security, has resulted in many otherwise preventable data breaches. I wasn’t breaking any news, merely shouting into the void that doing little things can add up to better cybersecurity. Every study on the matter shows that preventable errors are a persistent factor in compromised data. Misconfigurations, improper technology deployments, “misdeliveries” of sensitive data to the wrong recipients, failure to encrypt.

Ready Resources

In that blog I pointed to some readily available resources for implementing simple security improvements, such as seven best practices for keeping the managed file transfer secure and some ways to better protect your digital supply chain. I also called out the National Institute for Standards and Technology (NIST)’s efforts to update to its cybersecurity framework after more than a decade to help organizations adapt to the challenges of the current threat landscape.

Well, if you haven’t already heard, as of February 26, 2024, NIST Cybersecurity Framework 2.0 (CSF 2.0) is no longer a draft.

Not Just for Critical Infrastructure

NIST’s original cybersecurity framework, CSF 1.0, was developed to help critical infrastructure organizations develop cyber-defense strategies to defend against threats that could exploit weaknesses in networks never designed to be connected to the public internet. Many relied on a mix of operational technologies (OT), older systems using obsolete operating systems, and industrial controls designed without much thought of being targeted by cybercriminals because they were supposed to be air gapped and beyond the reach of anyone not in the building.

As it turns out, it wasn’t just critical infrastructure operators that needed guidance on protecting their networks from threats like ransomware and cyberespionage. The principles upon which CSF 1.0 was built – Identify, Protect, Detect, Respond, Recover – were broadly applicable to every organization. And with the definition of critical infrastructure broadening to include not just dams, pipelines, power grids, telecommunications, and transportation, but hospitals, financial services, and nearly every large enterprise that might disrupt economic activity, an updated framework was needed.

Review and Revamp Cybersecurity Strategies

With a nod to the many tools available to help organizations manage a complex set of security controls, Governance was added to the now six pillars of security on which CSF 2.0 is based, making it a ready resource for any organization operating in any industry. In fact, while CSF 2.0 describes a framework that on its own will help many organizations (and especially those that are resource constrained) to reconfigure their cybersecurity strategies, SecurityWeek reports that “CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents.”

That will undoubtedly prove to be a big help to those looking for trusted resources. Instead of trying to sift through all the vendor hype about what tools and approaches work best to defend against the biggest threats (all of which seem to point to whatever solution that vendor happens to sell), they can start with those identified by NIST and work out from there to list their biggest priorities and set out to tackle them.

(As a vendor that regularly points out the often-overlooked risks of do-it-yourself file transfer schemes, I recognize that the last paragraph might seem a bit ironic. Not all vendors engage in blatant fearmongering and trend-chasing, however, Coviant Software included. We try to focus on our wheelhouse and do so with as much objectivity as we can. Besides, managed file transfer can never be labeled “trendy.”)

Protect and Support Operations

We recommend that every organization use this news as an opportunity to re-evaluate their cybersecurity strategies. Whether you adopt NIST CSF 2.0 or some other approach, there is no “set it and forget it” in data protection. As Katherine Ledesma, head of public policy & government affairs with cybersecurity firm Dragos told SecurityWeek, “CSF 2.0 continues to move the conversation from cybersecurity investment as a cost center to cybersecurity investment as a way not only to protect but also support business operations, particularly when it comes to ICS and OT cybersecurity.”

That’s another way of saying, “An ounce of prevention is worth a pound of cure.” And we agree. Let’s strive to do better at stopping cybercriminals rather than cleaning up the messes they leave behind.