You have taken the time to identity organizational goals, prioritize lines of business, and determine regulatory requirements.

You’ve even begun to create the culture of security throughout the company.  Now, what’s next?

Implementing the Framework. 

The NIST Cybersecurity Framework (CSF) is not meant to replace an existing program or processes. It aligns business and organizational processes, ensuring all elements of a Cybersecurity Program are addressed as defined in the framework core. The NIST CSF also assists organizations in adhering to compliance requirements, as many regulators have mapped their security controls to the Framework.

Through implementation, organizations identify required activities to meet framework core outcomes – addressing both organizational security risks and compliance requirements.

NIST CSF suggests seven implementation steps to develop a mature program or improve an existing one.

Step 1 – Prioritize and Scope
Identify the business/mission objectives based on organizational prioritizes.

Step 2 – Orient
Identify the related systems, assets, regulatory requirements, and overall risk approach for the scoped cybersecurity program (Step 1).

Step 3 – Create a Current State Profile
Develop a current state profile identifying how the framework core outcomes are currently being addressed for the systems and business environments (Step 2).

Step 4 – Conduct a Risk Assessment
Conduct a security risk assessment of the organization, as scoped (Step 1), to identify security risk tolerance levels.

Step 5 – Create a Target State Profile
Develop a target state profile identifying the cybersecurity objectives required for each framework core element to meet organizational risk tolerance levels.

Step 6 – Determine, Analyze, and Prioritize Gaps
Overlay the current and target state profiles to identify gaps within the current cybersecurity program. Prioritize the gaps based on business objectives.

Step 7 – Implement and Action Plan
Implement an action plan to close prioritized gaps.

Embracing the Culture.

Individuals are most willing to embrace cybersecurity actions if the concepts and technology are quick, hassle-free, and easy-to-understand. To that point, a focus on security basics goes a long way.

By embracing the ABC’s of cybersecurity hygiene (e.g., enforcing proper passwords, encrypting hard drives, limiting user ability to load undesirable software, two-factor authentication [2FA]), companies teach users that the security equivalent of washing your hands is simple, easy, and effective. The basics are proven to vanquish the most common attacks and prevent data breaches. Simple methods do not always receive the same limelight as threat focused measures, but they are cost-effective and straightforward – reducing the strain on cybersecurity and IT resources.

Remember, NIST CSF is not designed to be a “one stop shop;” it exists to define and direct your program. It is your security professionals who generate and champion the security processes, procedures, and culture. And, in keeping with cybersecurity best practices, develop the layout for Part III – penetration testing and vulnerability management.


Dana Pickett serves as former Edwards Principal of Cybersecurity and CISO. He is experienced in managing programs with a focus on both business and technical risk management for cybersecurity, audit and privacy/compliance with diverse requirements. While being a member of various task forces for industry and state government cyber security, risk management and compliance initiatives, Dana has proven to be effective in communicating to executive management, various senior executive boards and councils, and Audit Committees to achieve sponsorship and governance.

1 Comment

  1. Pingback: Part I: Starting Your Cybersecurity Program | Edwards Performance Solutions

Comments are closed.