Regulatory compliance is not enough to manage risks, especially cyber risk.

A growing number of organizations have begun implementing cybersecurity software in hopes of strengthening internal controls and information security programs beyond regulatory requirements, such as Sarbanes-Oxley (SOX). This push for more maturity and readiness is the result of several factors, including recent data breaches, pressure for higher levels of data accountability, security and privacy, and the tools available to help organizations in cybersecurity preparedness.

Among the accelerators is the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework or CSF). While NIST standards, frameworks, and best practices have been primarily adopted by federal and state governments, both private and public organizations have begun using it as a baseline to develop, implement or expand their cybersecurity programs.

This article will take a look at four initiatives that can help organizations adopt the NIST Cybersecurity Framework and ultimately protect information technology (IT) infrastructure and sensitive assets beyond the basic, defined regulatory requirements.

High-Level Benefits: What to gain by adopting the NIST Cybersecurity Framework?

The NIST CSF is focused on building cyber resiliency, shifting an organization’s stance toward cyber attacks from reactive to a prepared state. It is not a standard or a rigid regulation like SOX, but can be tailored in different ways, regardless of the level of adoption or customization. There are several benefits for organizations that successfully adopt NIST CSF, including:

  • Helps establish a consistent methodology, taxonomy and approach regarding risk management, from the executive to the operational level
  • Defines an organization’s risk-tolerance and target state for cybersecurity
  • Provides executives with necessary data points to prioritize cybersecurity initiatives and investments
  • Provides processes for continuous improvement and program assessment to reach target state
  • Redefines the governance structure of teams in charge of cybersecurity to a more inclusive model, involving other business units and stakeholders

Getting Started: How can my organization facilitate adoption of the NIST Cybersecurity Framework?

Organizations planning to or currently adopting NIST CSF often ask a very simple question: What steps does my organization have to take to successfully adopt NIST CSF?

The effort of implementing NIST CSF may vary greatly between organizations, depending on their size, complexity, maturity level, and the risk appetite. According to NIST, compliance with (or adoption of) CSF can be confusing and mean different things to different stakeholders. With this in mind, the following are four (4) essential initiatives to help organizations to successfully adopt NIST CSF.

Must-Have #1: Classify the data handled by your organization

A common misstep for organizations is to implement safeguards around sensitive data without having adequately classified the data. This could result in inadequate, insufficient, or unnecessary controls, or worst, not knowing what data actually requires safeguards. Below are the types of questions that your organization should be able to answer in order to have a data classification policy and process. Otherwise there may be a higher risk of exposure when it comes to protecting sensitive data.

  • What types of data does the organization handle, store, process, and/or transfer?
  • What volume of each data type does the organization handle (both received and generated)?
  • What regulatory requirements apply to each data type?
  • What safeguards do we currently have in place for sensitive data?
  • Who owns each data type, including internal and external owners?
  • Who has access to each data type?
  • Where does each data type reside within my organization; where does it come from and what are the outputs (both hardcopy and electronically)?

It is essential for an organization that strives to have a mature cybersecurity function to adequately classify data handled across business and information technology (IT) processes. There are many approaches to data classification; however, the main objective is to create awareness and a path for data owners and users to comply with safeguards adopted by your organization.

A practical approach to classifying data

5 steps to classifying data

1. Information gathering. To understand what types of data executives and process owners manage on a day-to-day basis, cybersecurity professionals must engage these individuals about where the data is coming from, and what are the outputs. A great way to do this is via online surveys, which should be customized to your organization and for the specific team providing the information.

2. Data analysis. Once surveys are completed, data must be studied, follow-ups conducted, and normalized outputs prepared. Data visualization tools are a great way to dissect data in a way that is easy to understand by the different stakeholders.

3. Facilitated sessions. With the data analysis in-hand, cybersecurity teams should validate findings, gaps, and potential risks with the executive leadership team and data owners. This dialogue helps create a higher level of awareness and helps refine the understanding of the current environment and potential risks.

4. Develop classification schema, policy, and process. Assess the different classification schemas and define your own; it is recommendable to have at least three (3) classification levels. This will have a great impact on resources needed, complexity of the environment, and safeguards investment for each data classification.

5. Socialize classification schema with key stakeholders. As a final but crucial step, circle back with all stakeholders to gather final pieces of feedback on the environment, the actual policy, and the process that will be used to classify the data. Many times, stakeholders offer significant feedback once they see the final product.

If an organization is to be successful in engaging users, the entire population should be trained not only on the data classification policy and processes but also on the significance and value realized by the organization.

Must-Have #2: Conduct cybersecurity/risk assessment

For organizations trying to reach a higher level of cybersecurity readiness, they must first assess their current cybersecurity practices to identify gaps and weaknesses; this will enable them to understand exposure and risk levels. Performing an assessment 1) improves awareness throughout the organization, 2) enables leadership to manage current risks, gaps, and weaknesses, 3) identifies people, processes, and technologies currently available, 4) provides visibility of the performance of the cybersecurity and risk management functions, and 5) sheds light on critical data points to create a roadmap and reach target maturity levels.

The frequency with which cyber risk assessments are performed also has an impact on the breadth and depth of these assessments. For instance, organizations that perform cyber risk assessments more frequently may find that repetition enables their assessors to gain a better understanding of the organization’s security functions allowing them to expand the scope or target of the assessments. The main components to perform a cybersecurity assessment may vary based on a number of factors, but the following showcases the basics to cover during an assessment:

  • Define a baseline. While there are extensive frameworks available that can be used as a baseline to assess cyber or information security maturity, a good practice is to define the high watermark for each security category. This can be achieved by mapping the standards, frameworks, and regulatory requirements applicable to your environment and defining the highest level of maturity that makes sense based on the data sensitivity, resources available, and regulatory requirements. Following the NIST CSF categories might be a good starting point but it is not a must.

  • Identify stakeholders. Assessment results are only as good as the input into the process. It is extremely important to identify the proper stakeholders to bring into the discussions during the assessment. Involving only executives may result in a “should-be” state as opposed to current practices, while involving staff that is too junior might result in inaccurate, incomplete or irrelevant data.

  • Submit information requests. Assessments are more dynamic in nature than audits and documentation gathering is typically less onerous. Gaining an understanding and gathering data, including documentation, can be achieved by issuing a survey-type request. Once results are back and analyzed, holding a facilitated session to validate information and findings together with stakeholders is essential to make sure no details were misunderstood or left out.

  • Define gaps and desired remedial actions. Upon validation of the assessment results, the cybersecurity team should work on the refinement of the actual gaps, associated risks, remedial actions, and overall desired cybersecurity outcome. Then stakeholders must confirm remedial actions are in-line with business needs, requirements, and that these results are fed into the overall cybersecurity plan.

Must-Have #3: Establish the desired target state

Organizations with a mature cybersecurity program typically have a desired future state clearly defined and in alignment with business requirements, initiatives, and risk appetite. In fact, NIST CSF states the definition of a profile (or target state) should be determined during implementation of the framework. The definition of a target state not only is a necessity for the adoption of NIST CSF, but it also specifies the identification, analysis, and prioritization of gaps to be addressed between current and future state. In addition, a desired target state:

  • Accelerates the creation of a NIST CSF implementation roadmap by providing a holistic picture of the cybersecurity desired outcomes
  • Monitors the progress made regarding achieving cybersecurity objectives
  • Assists with the definition of resources needed to address gaps, including providing critical data for a cost-effective, targeted cybersecurity plan

The definition of a target state should not be cumbersome once the organization has assessed its current state and defined remedial actions. A common approach is to map assessment results to a metric for each category of controls, per NIST CSF. For instance, the target state could be to close the gap between personnel trained on cybersecurity awareness (80%) and the desired result (100%).

Must-Have #4: Define governance structure

Traditionally, executive leadership and corporate boards looked at cybersecurity merely from a metrics and compliance perspective; however, in recent times boards have broadened their understanding of how cyber risks pose a threat to their businesses. With this change of perspective, executives are now taking a more active role in the establishment of safeguards, including instituting cyber security functions with new governance bodies.

By implementing a robust governance structure, organizations can:

  • set the right tone-at-the-top and allow it to permeate to department leads
  • ensure data security and privacy obligations are met (whether regulatory or not)
  • enable executive leadership to monitor cybersecurity roadmap progression and achievements
  • provide a holistic view of risks throughout different business functions to make sure they are in alignment with strategic objectives

A strong cybersecurity governing body is inclusive of key functions of the organization and not only the departments that have a direct responsibility for safeguarding of sensitive data. Organizations of all sizes are in need of establishing a governance structure that aligns with their environment. Companies should consider creating cybersecurity leads and organizations beyond a few internal subject matter experts. Typically, this should be led by a C-level position (e.g., Chief Information Security Officer) with a team to support its operations. This position is in charge of policy, process, and standards development, as well as providing subject matter guidance. Smaller organizations may benefit from a hybrid approach in which staff from other departments, such as IT, may play a hybrid role between their original function and the newly created cybersecurity function.

Companies should also consider establishing cybersecurity committees. The committees are typically tasked with the strategy definition and to provide overall guidance for the program. They can be broken down by subject matter such as policy development, technology, regulatory and compliance, and privacy. Each employee, department lead, executive, and corporate board member should gain a universal understanding of cyber security regardless of the business function.


Organizations that decide to adopt the NIST Cybersecurity Framework can ultimately help protect information technology infrastructure and data assets beyond the safeguards offered by merely complying with regulatory requirements. By performing the initiatives outlined, your Information Security or Risk Officer can set your organization up for a successful adoption of the the NIST CSF.

AuditBoard can help. Our platform can help you manage your cyber and information security frameworks, compliance processes, including the NIST CSF, and audit program.

Learn how AuditBoard’s integrated suite of easy-to-use audit, SOX, risk management, and compliance solutions can empower your team.

Sam Arias
About the author: Sam Arias is a Director of Product Solutions at AuditBoard and an experienced cybersecurity professional with over fourteen years of experience. Sam is skilled in helping organizations strengthen their security processes and practices and advises on using technology to manage these risks.