Security Team Huddle: Using the Full NIST Cybersecurity Framework for the Win

The National Institute of Standards and Technology’s (NIST) recent decision to include “govern” as a core function of its Cybersecurity Framework (CSF) is much-needed additional guidance for enterprises as they work to establish and maintain strong security postures. According to Gartner, the NIST CSF remains one of the most important structures for organizations looking to achieve information security and risk management success regardless of size, industry vertical, information security, and risk management experience. Therefore, it is essential for organizations to understand how each of the six core functions – identify, protect, detect, respond, recover, and govern – can work together to make a solid foundation for their network security.

The way in which these functions interconnect and work together is very similar to how a professional sports team performs – and overcomes challenges – together as a team on their field of play. Since the National Football League (NFL) season is now underway, let’s use that gridiron sport as our example.

1. Identify: Just as a football team might review footage on their opponents prior to a game to determine strengths and weaknesses, for security teams, the identify function involves understanding the organization’s assets, risks and vulnerabilities. By distinguishing critical assets, potential threats and overall risk appetite, teams can create a foundation for effective security measures. And with this information in hand, teams can make informed decisions about where to allocate resources and effort, in the same way that a football coach might set up an offensive play based on where he knows the competitor has a gap in their defensive line. Having the right asset management, vulnerability scanning and risk assessment tools are integral in helping security teams set the strategy for their security efforts.
2. Protect: In football, one of the most important assets on the field is the quarterback, and protecting that player is a job that falls primarily on the offensive line. The quarterback calls a play based on the information that has been gathered about how the opponent may stop a pass, and simultaneously the line then knows how to maneuver according to the play call and ultimately keep the defense from breaking the line and getting to the quarterback. All this must work in synchrony and without interference to the quarterback’s performance. Similarly, security teams must build on the information gathered during the identification phase to implement safeguards to prevent or and protect against potential threats. Access controls, encryption, training programs, security policies and technologies that can be used to safeguard the system play a key role here. The more a team can protect their most important assets, the more likely they will be successful in reducing the attack surface and minimizing potential damages.
3. Detect: Even with robust protection measures, some attacks might still occur, just as some quarterback sacks may still happen in a game. The detect function involves setting up mechanisms to monitor and identify anomalous activities or possible breaches. Intrusion detection systems (IDS), security incident and event management (SIEM) solutions and ongoing monitoring are important aspects of this phase. If a security team can detect a threat early, they can respond quickly and minimize the impact.
4. Respond: Having a well-defined incident response plan and corresponding procedures in place is key in this phase. Knowing how to contain and mitigate an incident and then effectively communicate with the stakeholders will help the organization return to normal operations more quickly. Think of this function like the team huddle after a failed play on the field. The coach or quarterback provides a quick analysis of what happened in the previous play and gives direction on what to do next to ensure the best offensive or defensive actions take place for a successful down.    
5. Recover: After the huddle, the players must bounce back quickly and get into position to be ready for the next play. Likewise, the “recover” function for an organization involves minimizing downtime and restoring systems and operations quickly after a security incident while also making sure that the vulnerabilities that led to the incident are addressed. Having the right backup and recovery solutions as well as cloud and virtual recovery tools is crucial at this stage.
6. Govern: The newest function in the NIST CSF but perhaps one of the most important, “govern” provides an overarching framework that guides and supports all of the functions. On a football team, this is where the coaching staff gets the most involved. Though they may not be in uniform and lined up on the field, the role that coaches play in providing direction and oversight from the knowledge they have gathered in all the previous functions turns into the strategy that they can set for the team. The ultimate goal – or business objective – being a W. For security teams, governance necessitates establishing policies and procedures to make sure that cybersecurity efforts align with business objectives. Governance is also key in helping to show proof that your infrastructure is adhering to your policy at any given point in time and on an ongoing basis. In this way, security teams have a way of measuring how the overall system is operating and be able to report on the efficacy of all of the tools that are in place when an audit happens.

Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats. This can happen if all six functions of the NIST CSF are integrated and work together alongside continuous assessment procedures as well as collaboration among different teams within an organization – from IT to legal to the executive team – to achieve a truly holistic and effective cybersecurity approach.