After nearly a decade, NIST’s flagship Cybersecurity Framework (CSF) is getting a long overdue makeover for the 2020s internet.
The inventively named CSF 2.0 is currently released for public comment (at time of writing) and incorporates over a year’s worth of community feedback.
One of the most fundamental and welcome changes is to the scope of the guidance. It’s no longer a framework intended chiefly for those who work within the US’s critical infrastructure – the powers that be have realised that every organisation has to deal with cybersecurity risks. (Took ‘em this long, huh?)
The CSF 2.0’s guidance all looks very promising. It has largely been welcomed by the cybersecurity community, and upon looking through the documentation myself, the guidance generally makes a lot of cyber and business sense.
However, in my view, the proposed changes are highly likely to affect cybersecurity staffing, especially when it comes to risk and leadership.
Though sadly, at the time of writing, CSF 2.0’s implementation is still a little uncertain. It’s still open for discussion, and its release date is merely “2024”.
So let’s try and ascertain a little certainty from what we already know. Let’s consult our cybersecurity talent crystal ball and explore how these changes might affect cybersecurity talent and staffing in 2024 and beyond.
The original CSF was released in 2014 as a result of President Obama’s Executive Order 13636, and is a cyber security and risk management framework intended to protect US government and critical infrastructure organisations, and those they contract with.
The framework got an update in 2018, bringing the guidance up to CSF version 1.1, but is now being substantially overhauled under the Biden Administration to reflect the changing cyber threat landscape of the 2020s. It is also changing focus in that the original CSF was intended to be followed by organisations relevant to critical infrastructure, whereas CSF 2.0 is intended for organisations and businesses of all sizes, types, and industries.
Complying with the framework is mandatory for organisations who contract with or otherwise supply the US Government, or who play a part in the US’s critical infrastructure. It is voluntary for all other organisations.
CSF 1.0 established five main pillars that prop up an effective cybersecurity programme:
All high priority functions for any organisation’s cybersecurity function, I think you’ll agree. All five of these pillars have had a bit of a facelift in version 2.0 to accommodate the threats of the modern web. Yet CSF 2.0 has also installed a central supporting structure that connects all of these pillars – “Governance”. It’s a crucial new addition that influences all of the previous pillars and cements the need for LGRC (legal governance, risk management, and compliance) to sit at the centre of the cybersecurity programme.
The broad strokes of CSF 2.0’s guidance have been largely well received by security practitioners (with some caveats), and make a lot of good cyber sense, as did its predecessors.
However, when you gaze past the crystal ball’s shiny surface, you realise that this update brings with it new work that may need to be done, changes that may need to be made, and even some hurdles in the path if you want to become – or remain – compliant.
There are plenty of guides out there discussing the technical ins and outs of the new guidance, but what about the human, talent-related impacts of NIST CSF 2.0? Let us gaze upon the orb and explore.
Thankfully, many companies are on board with the level of risk that cybercrime presents, and broadening CSF’s scope to cover all organisations is largely seen as a welcome move. This change lends even more legitimacy – if any were needed – to the point that cyber attacks can hit organisations of all sizes.
However, there are still some cybersecurity-doubters out there: usually non-tech leaders (often ones who hold the purse strings, annoyingly) who are frustrated with how much of a cost centre cybersecurity functions can be, and perhaps suffer a little from the “it’ll never happen to us” mindset.
This new guidance makes no bones about the fact that all organisations can suffer from cyber attacks and that we should all remain vigilant, regardless of size, sector or finances. Hopefully – for their own sake – this updated guidance will spur these cyber-resistant companies into action.
This may naturally lead to an increase in open cybersecurity positions up and down the chain of command as companies start to focus more heavily on cyber as a result of CSF 2.0.
The original CSF 1.0 focused on the five pillars listed above, but its sequel adds the extra element of governance. In short, this blends the crucial concepts of risk management and governance of the security function into NIST’s flagship guidance.
This understandably leads to the prospect of more energy, focus, and budget going towards risk management, legal, and governance, potentially resulting in more jobs in the sector. For some organisations this may require a bit of an org chart reshuffle in order to strengthen working relationships between the security techies and those in LGRC functions.
However, we can’t talk about an increase in skilled cybersecurity roles in entirely positive terms. There is still a very active cybersecurity skills shortage affecting nations the world over. Realising a need for fresh cyber talent is great, but might this renewed focus make the US’s own information security skills shortage even more acute?
Our crystal ball is getting a little hazy on this one, but it will be interesting to observe what impact the finished version of CSF 2.0 will have on staffing and demand.
Given that the new guidance may result in increased engagement between tech and risk/legal teams, we can’t help but wonder – will the usual CISO reporting lines move away from the CIO/CTO and more towards CRO/CLO?
Personally, I would see this as a welcome change. As I previously explored in my article about CISO reporting lines, on the face of it, you’d think that a CISO and CIO/CTO pairing was the ideal. However, as stated in that article:
“CIOs and CTOs are there to propel a business forward through technology – grabbing the latest tech by the horns and using it to help improve the company in myriad different ways. The CISO’s job is to err on the side of caution, investigating all of the potential risks before signing off on significant tech changes.”
And in the guidance’s own terms: “[CSF 2.0] emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.”
In short, the CTO (and sometimes CIO) is there to maximise the organisation’s strategic approach to new technology. However, the CISO is there to maximise security – enabling business by consciously balancing risk and return throughout the IT estate. In my view, this makes the CISO’s focus better aligned with Chief Risk or Legal Officers.
Alternatively, it could lead to the CISO cosying up to the CFO. This is another dream pairing in our view as it will encourage financial decisions that are more informed by information security.
Read the Full Article Here: The C-Suite Jigsaw Puzzle: Does It Really Matter Who CISOs Report To?
But let’s discuss the CISO placement that I feel is the ultimate ideal: where the CISO doesn’t just report to the board – they’re on the board. I think the changes that CSF 2.0 presents to the executive committee lend more legitimacy to the argument of having a CISO on level pegging with the likes of the other Chief Something Officers.
I’m cautiously optimistic that CSF 2.0 could spell the dawn of the board-dwelling CISO. If so, then it can’t come too soon.
This renewed focus on the relationship between cyber security and LGRC teams may result in more well-defined responsibilities within and between the two functions.
For example, especially in areas where there is some overlap between the two functions: hiring managers will sometimes go on the lookout for one cross-departmental role that should really be two roles working closely together. To be honest it’s something we see a lot. We wonder, will CSF 2.0 help organisations better define their understanding of who is needed where? Will the updated guidance help establish a structure that allows companies to define their roles more clearly? If so then we can only see that as a good thing.
One negative point that a lot of practitioners are reporting is that CSF 2.0 appears quite rigid and prescriptive. Even one of our own sources jokes that “The NIST approach is: ‘Under these specific circumstances, thou shalt flip switch #14,327 in this manner.’”
Understandably, if the final framework ends up being quite this granularly prescriptive, organisations may require more ground troops – within both risk and cyber – to make sure that each of these individual rules are followed.
Lawfare Media also points out that “Unfortunately, the framework’s high-level guidance is too general to be implemented, and its ‘implementation guidance’ is too technical to be of practical use to most organizations absent expert help.” This may be a rallying cry to those amongst the ranks of that “expert help”, letting them know that they will be highly in demand – and potentially quite soon.
“The Framework does not prescribe how outcomes should be achieved. Rather, it maps to resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.”
Additionally, the current CSF 2.0 Discussion Draft provides numerous implementation examples, showing that there is more than one prescriptive way to comply. Personally, especially when looking at the discussion draft, much of it does seem granular, but I wouldn’t necessarily call it prescriptive – but admittedly, I’m not a cybersecurity practitioner!
For some organisations, especially ones with a less mature security posture, a spot of prescriptive guidance isn’t always a bad thing. Alongside every “subcategory” of action to be taken within the CSF 2.0 Discussion Draft there are one or more Implementation Examples that provide actionable guidance as to how to implement that particular action point.
This is a great move as it helps to illustrate how achievable CSF would be for an organisation. This will likely be the litmus test: will an organisation feel like they can handle compliance in-house? Or would they need help from an external party? Either way, demand for cyber practitioner roles both in-house and at MSP/MSSP-type external support companies may increase.
Well, that’s all from the ball! In our view, CSF 2.0 is going to keep us all safer in the long run. We foresee that, by and large, the new and improved CSF 2.0 is a great opportunity for those in cybersecurity, though how exactly it shakes down into implementation – and indeed to the very current skills shortage – remains to be seen.