Common Misconceptions about NIST Cybersecurity Framework

For the first time since its creation in 2014, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) updated its key functions to include govern.

What does this mean for your organizations’ security governance program, and why does this matter?

To really understand the changes, let’s go back to the beginning.

What is NIST CSF?

The framework's goal has been to help industries, agencies, academics and nonprofits manage and reduce their cybersecurity risk. The framework provides a universal taxonomy and process any organization can use to understand, analyze, prioritize, remediate and communicate its efforts to reduce risk in cybersecurity.

The six CSF core functions were selected to enable the organization of cybersecurity outcomes:

• Govern
• Identify
• Protect
• Detect
• Respond
• Recover

The framework is made to scale. This makes its guidelines useful for organizations looking for best practices for reducing cybersecurity risk, regardless of size or funding.

What the NIST CSF is not

The framework is not a checklist. It does not tell organizations how to operate.

The framework is not for everyone. The guidelines and best practices it recommends are tailored to individuals responsible for cybersecurity programs. This means the resources provided such as cited documents and reference, may not be relevant to individuals operating outside of the security team or without direct knowledge of their enterprise's security tools, operations, and processes.

In fact, it is what the framework is not that makes the 2024 revision and addition of a sixth key function so notable.

NIST, the agency responsible for providing guidance in cybersecurity, now says a "govern function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions in the context of its mission and stakeholder expectations."

In short, governance activities are critical to the oversight of an organization's broader risk management strategy.

Now that we've established what the CSF is - and is not - we can apply this context to dispel five common misconceptions about the framework.

Misconception #1: The NIST CSF is only for large organizations

Many organizations believe the NIST CSF is only applicable to large organizations with extensive resources. In reality, the framework was designed to be scalable for enterprises of all sizes and funding.

The NIST Cybersecurity Framework 2.0 Reference Tool lets users at any stage of their governance and framework journey explore core functions, categories, subcategories and implementation examples. The framework is scalable, and revisions are made to ensure the guidelines are accessible to smaller organizations as well as larger entities.

Misconception #2: The NIST CSF is a compliance standard

While the NIST CSF is often used as a benchmark for compliance, it is not a compliance standard in itself. The framework is a set of guidelines and best practices that organizations can use to improve their cybersecurity posture.

It is not a mandatory requirement, but rather a voluntary tool that can help organizations better manage and reduce cybersecurity risks.

Misconception #3: The NIST CSF is a one-time assessment

Some organizations mistakenly believe that the NIST CSF is a one-time assessment. Also known as the CSF Excel spreadsheet, there's a false assumption among some security leaders that they can complete it, and then forget it.

In reality, the framework is designed to be an ongoing process that requires regular review and updates. As Gutsy advisor Bruce Schneier has been saying for decades, "Security is a process, not a product."

Cyber threats are constantly evolving, and organizations must continuously assess and improve their cybersecurity practices to stay ahead of potential attacks.

Misconception #4: The NIST CSF is only for IT departments

Yes, the framework addresses technical aspects of cybersecurity, but also emphasizes the importance of involving all levels of an organization in cybersecurity efforts.

The primary audience is people responsible for leading cybersecurity programs such as Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs).

The framework can also be consulted by individuals involved in managing risk, or direct involvement in the management and execution of the security stack, including:

• Executives
• Boards of directors
• Acquisition and technology professionals
• Risk managers
• Lawyers
• Human resources specialists
• Security auditors

Misconception #5: The assessment tool is the only way to implement the framework

The NIST CSF assessment tool is a popular way to implement the framework. Organizations can also use other tools and methods to implement the NIST CSF, such as third-party software or consulting services.

The important thing is to find a method that works best for your organization and allows you to effectively implement the framework.

By understanding and dispelling these common misconceptions, organizations can fully use the benefits of the NIST CSF and improve their cybersecurity posture.

How Process Mining Strengthens Security Governance Strategies

As discussed in this previous article, a framework is a valuable component of an organization's information security program. This is where the application of process mining for cyber provides a data-backed approach for managing and protecting sensitive information.

When security teams have a governance platform that can collect, analyze and respond to data collected from within their security operating systems, they can easily see where their executions are working, and fix the ones that don't.

Download our ebook, "Process Mining: The Security Angle" for use case explanations and real world examples of how improved security processes help organizations achieve their desired outcomes and solidify their governance approach.