UPDATE TO THIS POST: NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification
Benefits and limitations of using NIST CSF for Board Reports
Many organizations have benefited from the adoption of the NIST Cybersecurity Framework (CSF) to improve the reporting on the maturity of their cyber risk management activities. The list of best practices outlined by the NIST CSF and the related scoring mechanism have proven to be both comprehensive and practical for most users. The typical reports display current maturity scores (on scales such as 1-5) for dozens of risk management activities as well as the target score improvements, based on planned risk mitigations.
The missing element to fulfill CSF’s promise to “cost-effectively manage cybersecurity risk” is the economic dimension of those assessment reports. After all, financially driven reporting is the most common and easy-to-understand method of communicating to boards and executive management. The mere reliance on ordinal scales doesn't allow organizations to quantify the financial impact (the actual risk) of lower maturity than stated best practices. This also does not allow the prioritization of possible risk mitigation initiatives based on business impact.
Adding the economic dimension to your reporting
The combined use of a standard analytical risk model such as FAIR on top of NIST CSF removes that limitation and can help organizations improve the reporting on cybersecurity risk and enable cost-effective decision-making. The FAIR Institute recently announced the collaboration between NIST and the FAIR Institute that lead to the publication of a blog series on NIST CSF & FAIR outlining their joint value proposition. The bottom line is that:
Example of cost-benefit analysis reporting
The 'holy grail' of business-aligned reporting
Demetrios Lazarikos, a CISO, Infosec thought leader and board member of the FAIR Institute, shares that, “The job of the cyber risk professional is to contextualize the risks that are most relevant to the business. The holy grail is getting to a risk measurement for the business that can be quantified in dollars, which can then be considered against proposed security spend to manage risk. The combined use of the NIST CSF and FAIR standards finally enables organizations to manage cybersecurity risk from the business perspective.”
Acting on it
RiskLens supports both standards and can help organizations implement that joint value proposition today. Discover how you can gain and maintain a seat at the business table by speaking the language of the business.