Blog

NIST Cybersecurity Framework 2.0: A Deep Dive into the New Governance Function

Date published:

Dec 22, 2023

Fayyaz Makhani

Global Security Architect

SHARE ON
SHARE ON

In today's digital landscape, the need for robust cybersecurity practices has never been greater. With the rapid growth of cyber threats and attacks, organizations across all sectors constantly seek ways to bolster their defenses and protect sensitive data. To address these challenges, the National Institute of Standards and Technology (NIST) has released the NIST Cybersecurity Framework 2.0 (CSF), which introduces a significant enhancement: The Governance function.

The Significance of Governance in Cybersecurity

The NIST Cybersecurity Framework has long been a cornerstone for organizations looking to enhance their cybersecurity posture. The original framework consisted of five core functions: Identify, Protect, Detect, Respond, and Recover. While these functions provided a solid foundation for managing cybersecurity risks, the evolving threat landscape called for a more comprehensive approach. This led to the addition of the Governance function in CSF 2.0.The inclusion of the Governance Function sends a powerful message about the evolving state of cybersecurity; it highlights that cybersecurity is not solely a technical concern, but also an integral part of an organization's overall business strategy.

Governance and Its Impact on General Business

Regardless of their industry or sector, businesses handle vast amounts of sensitive information, making them prime targets for cyberattacks. The addition of the Governance function in the NIST CSF 2.0 is particularly relevant to these entities, as it emphasizes the following key points:

           
  • Leadership Responsibility: The Governance function strongly emphasizes leadership roles within organizations. It expects organizational leadership to take responsibility for cybersecurity decisions, establish a culture that prioritizes risk awareness and ethical behavior, and promote continuous improvement. In the business world, this means that CEOs, boards of directors, and executive teams must actively engage in cybersecurity governance.
  •        
  • Alignment with Business Goals: The revised framework underscores the importance of aligning cybersecurity practices with business objectives. Businesses must recognize that effective cybersecurity protects their assets and supports the achievement of strategic business goals. This alignment can lead to better risk management and improved overall business performance.
  •        
  • Risk Management Strategies: The Governance function highlights the need for organizations to establish clear cybersecurity risk management objectives and strategies that account for their unique risk appetite and tolerance. This ensures that cybersecurity efforts are aligned with the organization's specific risk profile.
  • Supply Chain Risk Management: Supply chain security has become a prominent concern recently, with numerous high-profile breaches originating from third-party vendors. CSF 2.0 expands the guidelines to cover supply chain risk management. Businesses should strengthen their supply chain security measures, conduct third-party assessments, and closely monitor vendors' cybersecurity practices. Learn more about securing your supply chain in our blog, How to Secure Your Software Supply Chain.

Incorporating the Revised Guidelines

To effectively leverage the NIST Cybersecurity Framework 2.0 and its new Governance function, businesses should adopt a proactive approach. Here's 6 key ways organizations can incorporate these revised guidelines into their practices:

           
  1. Engage Leadership: Actively involve organizational leadership in cybersecurity decision-making. Encourage executives to take responsibility for cybersecurity risks and to create a culture that values risk awareness and ethical behavior. Leadership buy-in is crucial for the successful implementation of cybersecurity measures.
  2.        
  3. Establish Clear Objectives: Establish clear cybersecurity risk management objectives that align with your organization's mission and goals. Ensure these objectives are communicated throughout the organization to foster a shared understanding of cybersecurity priorities.
  4.        
  5. Integrate Cybersecurity into Enterprise Risk Management: Recognize that cybersecurity risk management is integral to overall enterprise risk management. Ensure that your cybersecurity strategy aligns with and complements broader risk management efforts.
  6.        
  7. Supply Chain Risk Mitigation: Evaluate your supply chain's cybersecurity posture and develop strategies to mitigate associated risks. This may involve conducting regular assessments of third-party vendors, establishing contractual cybersecurity requirements, and monitoring compliance.
  8.        
  9. Regular Review and Adaptation: Establish processes for regularly reviewing and adapting your cybersecurity risk management strategy. Cyber threats and business environments are dynamic, so your approach must evolve accordingly.
  10.        
  11. Risk-Aware Culture: Encourage a culture of risk awareness within your organization. This includes fostering ethical behavior, promoting continuous improvement, and ensuring that employees at all levels understand their roles in maintaining cybersecurity.

Impact on Security Teams

The introduction of the Governance function in the NIST Cybersecurity Framework 2.0 is likely to have a notable impact on the roles and responsibilities of security teams within organizations, including:

           
  • Expanded Responsibilities: Security teams may find themselves with expanded responsibilities related to governance, including policy development, risk assessment, and communication with organizational leaders. They may need to work closely with executive teams to ensure cybersecurity strategies align with business objectives.
  •        
  • Alignment with Risk Management: The governance function emphasizes risk management as a core aspect of cybersecurity. Security teams should focus on integrating risk management practices into their daily operations, ensuring that cybersecurity measures are in line with the organization's risk appetite.
  •        
  • Supply Chain Security: Security teams may be tasked with assessing and mitigating supply chain cybersecurity risks. This involves evaluating the security practices of third-party vendors and implementing measures to enhance supply chain security.
  •        
  • Continuous Improvement: Security teams should actively foster a culture of continuous improvement in cybersecurity practices. They should stay up-to-date with evolving threats and technologies to adapt their strategies accordingly.

Conclusion

The addition of the Governance function in the NIST Cybersecurity Framework 2.0 represents a significant step forward in strengthening cybersecurity practices across all sectors, irrespective of the industry. Organizations should embrace this new function as a means to enhance their cybersecurity posture.

           
  • By aligning cybersecurity with business goals, engaging leadership, and proactively managing risks, businesses can adapt to the evolving threat landscape and protect their valuable assets.
  •        
  • Furthermore, by incorporating the revised guidelines into their best practices, organizations can build a robust cybersecurity framework that safeguards their operations in an increasingly digital world.

As cybersecurity evolves, organizations must remain vigilant and adaptive, recognizing that cybersecurity governance is not a one-time endeavor but an ongoing commitment to protecting their future.

Read more about how VikingCloud can help enhance your organization's security posture here or contact our team for more information.

SHARE ON
Andrea Sugden
Chief Sales and Customer Relationship Officer
Let’s Talk
To get started with a VikingCloud cybersecurity and compliance assessment, email, call or click:
Contact Us