What industry leaders need to know about the NIST Cybersecurity Framework 2.0

In our digital age, keeping our systems safe is key to ensuring public safety and the smooth running of our society. Recent cyberattacks by groups like Volt Typhoon, backed by China, have shown how these attacks can have widespread effect—especially on organizations that maintain critical infrastructure, house sensitive data, or provide critical services. These attacks, along with a 50% increase in ransomware attacks in the industrial sector in 2023, stress the need for strong cybersecurity measures.

The NIST 2.0 updates address critical challenges in governance and supply chain

The National Institute of Standards and Technology (NIST) made significant updates to its Cybersecurity Framework (CSF) on February 26, 2024. These changes, especially in governance and supply chain security, are big steps forward from the 2018 version. They tackle long-standing issues by promoting better decision-making, clear communication, and proactive risk management. 

There were two notable changes in the NIST CSF 2.0:

1. Introduction of the Govern function: The most notable modification in the CSF is the introduction of a new function named "Govern," making it the sixth function that complements the existing five: Identify, Protect, Detect, Respond, and Recover. This addition is designed to better integrate cybersecurity risk management within the broader scope of enterprise risk management efforts. The Govern function outlines specific "outcomes" or objectives that guide organizations in enhancing and prioritizing their cybersecurity measures across the other functions.
2. Enhanced focus on supply chain risk management: The CSF 2.0 version places a stronger emphasis on managing supply chain risks by incorporating and building upon the supply chain risk management principles from CSF 1.1, primarily under the new Govern function. Recognizing the intricate and interconnected nature of supply chains, the framework stresses the importance of a comprehensive approach to cybersecurity supply chain risk management (C-SCRM).
   
   This approach involves a systematic method to address cybersecurity risks throughout the supply chain, establishing effective response strategies, policies, processes, and procedures. The inclusion of supply chain management within the Govern function aims to address complex cybersecurity challenges more effectively by promoting higher-level oversight and management.

West Monroe’s approach to leveraging the NIST framework

West Monroe has consistently applied the NIST framework as a pillar of our approach, integrating governance into our engagements since 2015. Utilizing the framework, we objectively measure risk, identify improvement opportunities, and track our clients’ progress toward achieving their security goals year over year. From our point of view, traditional industries grapple with governance challenges, insufficient investment, stakeholder fragmentation, and siloed operations. With our deep engagement across traditional sectors, the timing of the NIST 2.0 update couldn’t be more crucial. We’re at the forefront, leveraging NIST to address the unique challenges traditional industries face. 

Why governance? It aligns security strategies with business objectives

Today's businesses are navigating a rapidly changing digital landscape, where advancements like artificial intelligence in threat detection and the increasing use of real-time data demand a strong approach to managing risks. It's essential for companies to build a culture and strategy around security governance that aligns with their business goals, regulatory needs, and risk tolerance. Investing early in a comprehensive security governance program pays off by making responses more effective and aligned with the company's objectives. 

Governance is crucial for security teams, especially when they're responsible for assets they don't fully control. A governance model that promotes shared responsibility across the organization is necessary to maintain an appropriate level of security. This model goes beyond just day-to-day operations, involving leadership, policies, and oversight to ensure that cybersecurity efforts are unified and integrated at every level.

We work with our partners to develop and evolve their security governance, focusing on several key principles:

• Stakeholder engagement: It's important to get everyone involved in the security process, from the top leadership to operational teams and even external partners. This ensures a wide range of perspectives and broad support for cybersecurity initiatives.
• Building a security-first culture: Security should be a core part of all business operations. It's about creating a mindset where everyone understands their role in keeping the company safe. Leadership plays a key role in setting this tone and supporting the governance structure.
• Defining roles and collaboration: Clear roles and responsibilities help eliminate confusion and build accountability. Encouraging teamwork across departments is key to a unified approach to managing cybersecurity risks.
• Integration with business objectives: The security strategy should support and be aligned with the company's overall goals and risk tolerance, ensuring that cybersecurity efforts add value and help achieve strategic objectives.
• Transparency and accountability: Open communication about risks, vulnerabilities, and performance helps everyone understand their part in cybersecurity. Using clear metrics and agreements can guide behavior, align resources, and ensure everyone is focused on the right goals.
• Agile decision-making: Companies need to be able to make quick, informed decisions in response to new threats or opportunities. Governance should provide the flexibility to adapt to these challenges efficiently.
• Continuous improvement: The digital world is always changing, so it's important to regularly update and refine governance practices. Keeping a roadmap and project list helps prioritize efforts, guide investments, and keep everyone informed.

Why focus on the supply chain? Because securing it tackles the wider risks that come with complex business operations. 

In today's interconnected business environment, managing the security of the supply chain is crucial. This involves overseeing a network of third-party providers of software, hardware, and services that are vital to operations. Recognizing the risks these external parties can introduce, it's important to have a strategy that ensures the safety, privacy, and availability of critical services and infrastructure. At West Monroe, we're committed to leading the way in supply chain security, guided by several key principles:

• Validating supplier security: It's essential to regularly check and confirm the security practices of our suppliers. This helps ensure they meet our high standards and contribute to a safer supply chain.
• Promoting a culture of security: We believe in working together, sharing knowledge, and educating everyone involved—inside and outside the organization. A united approach and shared responsibility are vital for a strong defense against cyber threats.
• Keeping a close watch: We use ongoing monitoring to keep an eye on our suppliers' security status. This allows us to quickly spot and respond to any potential issues.
• Being ready to respond: We have detailed plans in place for dealing with security incidents involving our suppliers. This ensures we can act fast and minimize any negative effects.
• Controlling access based on need: We make sure access to our systems is given only when necessary, based on the importance of the supplier. This reduces the chance of security problems.
• Securing the entire supplier relationship: We integrate security into every stage of our relationship with suppliers—from the first evaluation through to the end. This means security is always a top priority. 

NIST 2.0 Impacts by Industry

Conclusion

The NIST Cybersecurity Framework 2.0 represents a pivotal advancement in the collective effort to fortify cyber resilience across industries. By introducing the Govern function and placing a renewed emphasis on supply chain risk management, this updated framework addresses critical vulnerabilities and aligns cybersecurity practices with the strategic objectives of organizations. West Monroe's proactive adoption and integration of these guidelines underscore the importance of governance and a security-first culture in navigating the complexities of today's digital landscape.  

As businesses continue to evolve amid a backdrop of increasing cyber threats, the principles laid out in the NIST CSF 2.0 offer a comprehensive roadmap for enhancing security postures, fostering stakeholder engagement, and ensuring the continuous improvement of cybersecurity measures. Embracing these guidelines not only mitigates risks but also positions organizations to thrive in an era where digital resilience is synonymous with business success.