Jack Jones, the creator of FAIR, just finished putting together a fantastic five-part blog post series comparing and contrasting NIST CSF and FAIR. My post here is meant to provide a bit of a teaser to all of the insight and edification Jack imparts throughout his blog post series. I eagerly encourage you to take deeper dive into the subject once you’re finished here:
- NIST CSF & FAIR Part 1
- NIST CSF & FAIR Part 2
- NIST CSF & FAIR Part 3
- NIST CSF & FAIR Part 4
- NIST CSF & FAIR Part 5
The series started off with the basic question: “How is FAIR different from (or better than) a framework like NIST CSF?” As you read the series, it boils down to understanding what the NIST CSF is, what it is not, as well as some of its inherent short falls that can be improved over time and complemented by analytic frameworks like FAIR.
Limitations of NIST CSF
For anyone who is new to NIST CSF, or checklist based frameworks overall, it’s important to understand what the framework does and does not provide, starting first with some of it’s most glaring limitations:
- Lacks an analytic foundation: With no outline of how elements are related, or how one component is dependent upon another, the NIST CSF cannot help organizations understand which missing or less mature component is more important to reducing the overall risk of the organization. This factor is essential when trying to answer the question, “what’s to be gained, or lost, from moving up or down the maturity tiers?”
- Unable to benchmark: There is a little known expectation that each organization build their own "profiles" from the NIST CSF sub-categories (e.g. the elements that are measured), which ultimately makes it impossible to perform benchmarking between industries, or even organization's within the same industry.
With that said, the NIST CSF does have a few endearing qualities when it comes to checklist based frameworks, such as limiting it’s sub categories (the elements that are “measured”) to below 100. This cannot be understated as there are significant diminishing returns from asking more and more questions; a fact that many other frameworks seemingly forget.
Different yet Complementary
So you may be asking yourself, how do you tie NIST CSF and FAIR together? Well to do that, it’s first important to understand what each framework provides.
- The NIST CSF is a checklist based framework that outlines a series of information security related “good practices”. The goal of many organizations that use the NIST CSF is to design their information technology environment to meet those good practices. Yet, as most seasoned information security personnel know, rarely, if ever, is the organization ever 100% compliant. So the question boils down to, during those periods of variance, how much risk does the organization have? Unfortunately, checklist based frameworks, like NIST CSF, are not designed to measure risk.
- This is where FAIR comes into play. In Jack's words, “FAIR is an analytic model that enables an organization to evaluate and measure the significance of gaps or the sufficiency of compliance so that it can make well-informed choices about where to apply its limited resources.”
As part of Jack’s 4th blog post, he outlines for us how we can utilize FAIR where the NIST CSF leaves off:
- Through the implementation of NIST, organizations can identify deficiencies in their environment
- Organizations can then measure how much risk these deficiencies represent in dollars and cents utilizing FAIR
- Lastly, organizations can measure the reduction of risk by implementing additional controls
For organizations that have access to the RiskLens platform, they can go ahead and use both frameworks as Jack has outlined them in one great platform. For those that don’t, schedule a demo today.