Demystifying NIST – Part 3 – The Future
In the field, I hear a lot of questions about why the NIST framework is particularly more effective than other standards and if it's designed to protect against future threats. The answer to both questions is "yes."
How do other current standards fail to address the data security landscape and how is the NIST framework positioned to address it?
The framework attempts to be the focal point of future standards and industry best practices. The main difference is that the framework has utilized pieces and parts of other standards to unify language that businesses can unite under. This allows organizations to focus on business drivers to guide security activities.
For a long time, standards pitched a containerized way of thinking about security and the associated controls. This functional approach is described in the Five Step Lifecycle the framework rests upon. These five steps (Identify, Protect, Detect, Respond and Recover) move us away from the risk and list oriented approach of discussing and implementing security controls. This forward movement also transitions security programs from reactive to strategy-oriented, which means it is an ongoing journey and not a "one and done" initiative. It also has undertones of security being everyone's issue and it provides opportunities for everyone to be part of the solution versus the model of many standards, centering on the accountability of few organizations with little to no executive buy-in.
Q. Does the framework only addresses the here and now versus the next generation of bad guy attacks?
I believe the framework is scalable and will provide a methodology to deal with todays' threats and tomorrow's challenges. Instead of standards or risks identifications that lead to remediation actions required only for the period of assessment, which is very tactical and reactive in nature, the framework is built on a strategic continuous improvement model. We all must make this shift in mindset to become more secure.