In recent years, I have witnessed the transition from cyber security as merely a role for the IT department to a subject raised in board-level discussions. Major breaches impacting the Australian public and people globally have forced executives to ask about the measures in place to prevent reputational and financial impacts on the organisation.
As such, more executives have made it imperative for their organisations to align with cyber security frameworks to elevate the company’s cyber security posture. The NIST Cyber Security Framework (CSF) was one model developed in 2014 for US organisations that many global enterprises have since adopted. Nearly ten years later, this framework has received a draft update with a proposed release date of 2024.
Why the updates to CSF 2.0?
In the almost ten years since the CSF’s inception, business and technology have experienced great shifts. In this time, workforces have become dispersed and digital processes continue changing to meet these demands.
For example, more organisations rely on a network of third-party partners to supply or manage their technology infrastructure, some of which might have access to data. One of the areas that the original CSF overlooked was supply chain risks, the risks created when partners or vendors, including Software as a Service (SaaS) providers, manage your digital assets. Although a third party might be responsible for securing their own software and processes, the onus remains on your organisation to protect data. So, CSF 2.0 guides organisations on better managing supply chain risks.
Understanding the focus on governance
Perhaps the most notable change in the new draft is the ‘Govern’ function. Many organisations are responsible for meeting compliance requirements and regulations, so CSF 2.0 has adapted to make recommendations on governance.
The ‘Govern’ function provides organisations with guidance for setting a robust foundation in their cyber security efforts. This part of the framework outlines what’s needed to develop policies, procedures and processes that align with the organisation’s goals so that the business is better positioned to manage cyber security incidents should they occur.
The Australian Signals Directorate Information Security Manual (ISM) takes a similar approach, and the government’s Security of Critical Infrastructure (SOCI) Act amendment of 2023 follows the same vernacular without ‘terming it’ as such. The SOCI rules state that a critical infrastructure entity must have in place a Risk Management Program, of which the Board must be aware and endorse annually.
Similarly, absolution by outsourcing is also no longer an excuse. Directors now remain liable for damages irrespective of whether they occurred within the organisation directly or via a third-party supplier.
What does a focus on governance mean to the leadership team?
CSF 2.0, ISM, and the SOCI Act all emphasise that cyber security governance is no longer the sole responsibility of the IT team. For many businesses, this change has already started; a 2023 survey by the Harvard Business Review found that 87% of the participants believe their cyber security budgets would grow within twelve months. Yet, even as more leaders prioritise cyber security, their roles remain unclear.
The CSF’s update promotes transparency when discussing cyber security initiatives with the leadership team. The aim is to prevent executives from being left in the dark regarding cyber security. In addition, executives and board members are now called upon to review and formally sign off on risk management plans, ensuring they align with broader business objectives and strategies.
Executive teams must understand, approve and promote cyber security initiatives. While executives don’t need to be involved in cyber security on a technical level, they must be aware of the risks to the organisation and take responsibility for improving cyber security.
The CSF 2.0 framework also suggests that a cyber security culture starts at the executive level. Why? You can have the right cyber security controls in place, but if your team doesn’t understand the necessity of these controls, they could unintentionally become the cause of your next cyber security incident.
How these changes impact the organisation
The enhanced emphasis on governance in CSF 2.0 means that organisations using this framework will take a more holistic approach to cyber security. The changes will not only affect the IT and executive teams but will ripple through every layer of your business, necessitating a unified and informed approach to managing cyber risks.
If you’re an organisation that aligns with this framework, you’ll need to undergo another audit to measure your compliance. These audits identify areas for improvement. In preparing for this, your organisation will need to evaluate the following areas:
- Organisational context: This highlights your mission and goals, creating the foundation for your governance strategy.
- Risk management strategy: You will need to define your organisation’s risk appetite, constraints, and the highest security priorities you must address. At this stage, you should ensure that your risk management strategy aligns with your organisational objectives.
- Roles and responsibilities: You must define the cyber security roles for people in the organisation to promote accountability and improvement.
- Policies and procedures: These will specify incident response plans and any processes your team must follow to maintain the organisation’s cyber security posture.
This shift to governance-centred cyber security will recalibrate organisational priorities. You will need to redefine processes, reshuffle roles, and promote a culture of continuous improvement.
As workplaces have become primarily digital in recent years, the NIST CSF has changed to address new responsibilities for organisations. The new ‘Govern’ function encourages IT and executives to align cyber security with the organisational goals and build a shared commitment across the business.
From an Australian perspective, NIST is still one of the solid standards for managing cyber in the modern world. The ISM complements this with standards that define how systems should be configured, and the SOCI Act places the burden of risk onto the business to ensure that controls from both are in place.
For executive teams, these all mean more involvement in understanding and approving cyber security measures. For the organisation, they mean changes to your processes, staff roles and auditing to ensure you align with your chosen framework.
recon can guide your cyber security alignment
Aligning your business with a cyber framework requires a partner who deeply understands the framework. Partnering with recon gives you access to experienced professionals who understand the controls and policies needed to improve governance and strengthen your cyber security posture. We can provide the necessary assessments to identify the gaps in your current cyber security strategy and guide you through the next steps. Visit our Services page for more on how we can support your business.