While 99% of Organizations Look to Align Risk and Performance Indicators to the Cybersecurity Framework, Automation and Staffing Remain a Hindrance
Secaucus, NJ – Rsam, a leader in governance, risk and compliance (GRC) enterprise software solutions, today released the results of a recent study it conducted with more than 150 security practitioners, on their adoption plans for the NIST Cybersecurity Framework (CSF).
The company surveyed IT security professionals during a recent NIST CSF discussion about a range of factors that contributed to their ability or inability to successfully implement the framework. The findings showed that organizations are paying attention to the NIST CSF, and using it as a guideline for budget allocation and measurement of their success as an organization:
- 71% of individuals indicated that they use or are planning to use the NIST CSF to determine where their cyber security budget should be allocated.
- More than 75% either agreed or strongly agreed that demonstrating the state of cyber security to the board is a key priority.
- More than 70% indicated it was important or very important for their organization to tie key risk and performance indicators to NIST CSF, while less than 1% said it was not important.
At the same time, the survey found that automation and staffing challenges remain as key barriers to broader adoption:
- Less than 10% said that their NIST-CSF program was more than 75% automated. The vast majority – more than 90% of respondents – said their program was less than 50% automated. And over 50% said that less than 25% of their cyber program was automated.
- Almost 50% said their cybersecurity team is understaffed, with 100% indicating they believe that the scope of their job will grow.
“We talk to information security leaders every day who express common challenges regarding implementing NIST CSF,” said Vivek Shivananda, CEO and Co-Founder of Rsam. “A central theme seems to be the struggle to put an overarching automated risk and compliance program in place, that can be looked at through the lens of NIST CSF and other frameworks. Even today, many organizations still rely on manual processes and manage separate data silos. This limits their ability to confidently report on their state of cybersecurity readiness to their Board and rapidly respond to security incidents.”
The NIST CSF is designed to help organizations reduce and better manage cybersecurity risks. The framework applies the principles and best practices of risk management to improve the security and resilience of critical infrastructure by assembling standards, guidelines, and practices that are working effectively in industry today. However, the Framework is not a one-size-fits-all and organizations have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the Framework vary. Add to that, security teams may track different activities in spreadsheets or in homegrown systems without a practical and automated way to implement the framework to get a holistic view of how their organization is performing against NIST CSF.
Rsam is working to address this with a practical implementation platform that is based on 14 years of experience and hundreds of risk and compliance implementations. Using the Rsam platform, organizations can blend the three Framework fundamental elements (Core, Profile and Implementation Tiers) into a singular view businesses can determine their progress and build a strategic security plan. Rsam also introduces predictability into the process. Organizations can measure where they are in their maturity, where they want to be and how long it will take to get there.