By walking the fine line between nitty-gritty technical discussions and high-level conceptual models, Cybersecurity Risk Management: Mastering the Fundamentals using the NIST Cybersecurity Framework should leave its readers with a new way of thinking about cybersecurity risk management. I hope that it also gives them the confidence to dive deeper into the growing number of cybersecurity disciplines that make up the cybersecurity field.
Barbara Endicott-Popovsky, Ph.D., CRISC
Executive Director, Center for Information Assurance and Cybersecurity
Professor, University of Washington
November 2021
Acknowledgments
This book is the culmination of at least eight years of research on how organizations can better position themselves to manage cybersecurity risk. My work on the material in this book began in 2013 when CSO Online commissioned me to document the development of what is now known as the NIST Cybersecurity Framework.
To accomplish this documentation, I attended all six of the workshops that led to the Framework’s release in 2014, flying to universities around the country and talking to the world’s leading cybersecurity experts for my CSO reports. A trade association also hired me to help industry executives understand cybersecurity. This client subsequently hired me to develop a series of courses to help train their workforce, particularly their non-cybersecurity technical personnel, in the best risk management practices using the NIST Cybersecurity Framework as a guide. (And I’m grateful that I was able to retain the rights to most of my work for this client.)
I’ve based the content of this book on the many discussions I have had with experts who have graciously given me their time over the years to explain how they manage risks in their organizations. Thanks to the following individuals in particular, whose skill and guidance helped bring many of the NIST concepts, so often abstract and high-level, down to earth and understandable to non-cybersecurity tech workers:
Paul Anderson, Director of Corporate Information Services, Hubbard Broadcasting,
Howard Price, formerly CBCP/MBCI, Senior Manager, Business Continuity Planning Corporate Risk Management, The Walt Disney Company,
Dan Ryan, formerly Vice President, Information Technology, Nexstar Broadcasting, Inc.; now Head of Information Technology at Standard Media Group LLC,
Eric Winter, Vice President of Investigations and Technical Risk, Cox Enterprises,
Mike Kelley, Vice President, Chief Information Security Officer, The E.W. Scripps Company,
Jim Davis, formerly Director, Infrastructure & Service Delivery, Cox Media Group,
Michael Funk, Director of Information Technology, Quincy Media, Inc., and
Eric Neel, Director Information Technology Infrastructure, Hubbard Broadcasting
I owe a huge debt of gratitude to Wayne Pecena of Texas A&M University for his expert review of most of the written material in this book. Thanks, Wayne, for your kind, wise and knowledgeable input into the book, particularly your sage advice to small organizations.
I’m incredibly grateful to the other cybersecurity experts who lent their experience to the Voices of Experience commentary throughout the book, including Patrick Miller, Lesley Carhart, Jason Boswell, and Casey Ellis. Your generosity will help your peers and other IT professionals to make their organizations more secure.
Finally, thanks to the countless other cybersecurity experts who I have interviewed over the years. Your contributions to helping people understand how to apply complex risk management concepts in the real world are invaluable contributions to the field. Without you, this book would not be possible.
Cynthia Brumfield
May 2021
I would first thank Cynthia for bringing me into this project. My hope has always been to see the NIST Cybersecurity Framework adopted by any organization looking to better their security posture on a well-established national standard. This book will allow that to happen. I would also like to thank those CISOs that lent their Voices of Experience to bring out their practitioners’ views: Omer Singer, Bill Roberts, Joe Klein, Helen Patton, Sounil Yu, Gary Hayslip, Mike Waters, and Eric Hussey. Lastly, thank you to my wife Kim and daughter Juli for all your support with everything we do.
Brian Haugli
May 2021
Preface – Overview of the NIST Framework
The National Institute of Standards and Technology (NIST), located in Gaithersburg, MD, is a US Department of Commerce division. It is assigned the job of promoting innovation and industrial competitiveness. It is a research organization filled with some of the world’s leading scientists and has produced many Nobel Prize winners.
NIST has a wide-ranging mandate: develop federal patents, oversee over 1,300 Standard Reference Materials, run a scientific laboratory in Boulder, CO, and pursue innovation in encryption technologies, among other significant efforts. NIST is primarily a scientific and engineering organization and, as such, produces patents, technical breakthroughs, documentation, and recommendations through extensive consultation with experts in various areas. This scientific consensus approach often has impressive results that can be difficult for non-specialists to understand or apply.
The NIST Cybersecurity Framework resulted from an intensive one-year effort to synthesize cybersecurity experts’ best thinking into a single “framework of frameworks” that can assure superior risk management. It’s well-understood in the cybersecurity field that risks are constant and that the best approach to organizational cybersecurity is to manage those risks because no one can eliminate them.
The NIST Framework attempts to incorporate all the best various risk management and remediation practices into one coherent whole, an ambitious goal in the complex cybersecurity field. It is a multi-layered, spoke-and-wheel collection of ideas grouped along logical lines.
The Framework is conceptual and not technical, making it a challenge for many organizations to apply in the real world. It doesn’t help that NIST specifically avoided any technical recommendations when developing the Framework. NIST instead chose to map its recommendations to a host of standards, or informative references, designed in-house and at other standards-setting bodies.
Despite its growing use among leading corporations, government offices, and non-profit organizations in the United States and worldwide, many non-cybersecurity professionals, and even some cybersecurity specialists, struggle with the practical application of the NIST Framework.
The following summary provides a broad overview of what the Framework is and how it’s structured. Keep in mind that the rest of the book focuses on the much-needed practical guidance on applying the NIST Framework, which we hope even non-cybersecurity professionals will grasp and find useful.
BACKGROUND ON THE FRAMEWORK
In the face of growing concerns over the prospect of a devastating cyberattack on US critical infrastructure, President Barack Obama issued on February 12, 2013, Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity.”1 The EO aimed to create a “partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.” To achieve that objective, the EO mandated that NIST develop within one year “a voluntary risk-based Cybersecurity Framework, a set of industry standards and best practices to help organizations manage cybersecurity risks.”
To hammer out the Framework, NIST hosted five workshops at multiple universities involving thousands of