Adding Dollars and Cents to Your NIST CSF Reporting

October 4, 2019  Nicola (Nick) Sanna

UPDATE TO THIS POST: NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification

Benefits and limitations of using NIST CSF for Board Reports

Many organizations have benefited from the adoption of the NIST Cybersecurity Framework (CSF) to improve the reporting on the maturity of their cyber risk management activities. The list of best practices outlined by the NIST CSF and the related scoring mechanism have proven to be both comprehensive and practical for most users. The typical reports display current maturity scores (on scales such as 1-5) for dozens of risk management activities as well as the target score improvements, based on planned risk mitigations.

Example of NIST CSF reporting Example of NIST CSF reporting

The missing element to fulfill CSF’s promise to “cost-effectively manage cybersecurity risk” is the economic dimension of those assessment reports. After all, financially driven reporting is the most common and easy-to-understand method of communicating to boards and executive management. The mere reliance on ordinal scales doesn't allow organizations to quantify the financial impact (the actual risk) of lower maturity than stated best practices. This also does not allow the prioritization of possible risk mitigation initiatives based on business impact.

Adding the economic dimension to your reporting

The combined use of a standard analytical risk model such as FAIR on top of NIST CSF removes that limitation and can help organizations improve the reporting on cybersecurity risk and enable cost-effective decision-making.  The FAIR Institute recently  announced the collaboration between NIST and the FAIR Institute that lead to the publication of a blog series on NIST CSF & FAIR outlining their joint value proposition. The bottom line is that:

  • NIST CSF provides a good list of best cybersecurity practices (activities) and a qualitative framework for measuring an organization's level of compliance to those best practices.
  • FAIR adds an economic dimension to NIST CSF assessments by quantifying cybersecurity risk in financial terms, dollars and cents.
  • The combination of both standards enables organizations to:
    1. assess where the biggest loss exposures are;
    2. conduct cost-benefit analyses for initiatives that improve risk activities;
    3. prioritize risk mitigation initiatives based on business impact.

Example of report ranking risk management deficiencies by average loss exposure Example of report ranking risk management deficiencies by average loss exposure

Example of cost-benefit analysis reporting

Example of cost-benefit analysis reporting

The 'holy grail' of business-aligned reporting

Demetrios Lazarikos, a CISO, Infosec thought leader and board member of the FAIR Institute, shares that, “The job of the cyber risk professional is to contextualize the risks that are most relevant to the business. The holy grail is getting to a risk measurement for the business that can be quantified in dollars, which can then be considered against proposed security spend to manage risk. The combined use of the NIST CSF and FAIR standards finally enables organizations to manage cybersecurity risk from the business perspective.”

Acting on it

RiskLens supports both standards and can help organizations implement that joint value proposition today. Discover how you can gain and maintain a seat at the business table by speaking the language of the business.