March 2024 | Resource

What industry leaders need to know about the NIST Cybersecurity Framework 2.0

Our approach to applying the updates that bolster your cyber resilience

By Sam Flemmer, Scott Crider, and and Sean Murphy

In our digital age, keeping our systems safe is key to ensuring public safety and the smooth running of our society. Recent cyberattacks by groups like Volt Typhoon, backed by China, have shown how these attacks can have widespread effect—especially on organizations that maintain critical infrastructure, house sensitive data, or provide critical services. These attacks, along with a 50% increase in ransomware attacks in the industrial sector in 2023, stress the need for strong cybersecurity measures.

The NIST 2.0 updates address critical challenges in governance and supply chain

The National Institute of Standards and Technology (NIST) made significant updates to its Cybersecurity Framework (CSF) on February 26, 2024. These changes, especially in governance and supply chain security, are big steps forward from the 2018 version. They tackle long-standing issues by promoting better decision-making, clear communication, and proactive risk management.

There were two notable changes in the NIST CSF 2.0:

Introduction of the Govern function: The most notable modification in the CSF is the introduction of a new function named "Govern," making it the sixth function that complements the existing five: Identify, Protect, Detect, Respond, and Recover. This addition is designed to better integrate cybersecurity risk management within the broader scope of enterprise risk management efforts. The Govern function outlines specific "outcomes" or objectives that guide organizations in enhancing and prioritizing their cybersecurity measures across the other functions.
Enhanced focus on supply chain risk management: The CSF 2.0 version places a stronger emphasis on managing supply chain risks by incorporating and building upon the supply chain risk management principles from CSF 1.1, primarily under the new Govern function. Recognizing the intricate and interconnected nature of supply chains, the framework stresses the importance of a comprehensive approach to cybersecurity supply chain risk management (C-SCRM).

This approach involves a systematic method to address cybersecurity risks throughout the supply chain, establishing effective response strategies, policies, processes, and procedures. The inclusion of supply chain management within the Govern function aims to address complex cybersecurity challenges more effectively by promoting higher-level oversight and management.

West Monroe’s approach to leveraging the NIST framework

West Monroe has consistently applied the NIST framework as a pillar of our approach, integrating governance into our engagements since 2015. Utilizing the framework, we objectively measure risk, identify improvement opportunities, and track our clients’ progress toward achieving their security goals year over year. From our point of view, traditional industries grapple with governance challenges, insufficient investment, stakeholder fragmentation, and siloed operations. With our deep engagement across traditional sectors, the timing of the NIST 2.0 update couldn’t be more crucial. We’re at the forefront, leveraging NIST to address the unique challenges traditional industries face.

Why governance? It aligns security strategies with business objectives

Today's businesses are navigating a rapidly changing digital landscape, where advancements like artificial intelligence in threat detection and the increasing use of real-time data demand a strong approach to managing risks. It's essential for companies to build a culture and strategy around security governance that aligns with their business goals, regulatory needs, and risk tolerance. Investing early in a comprehensive security governance program pays off by making responses more effective and aligned with the company's objectives.

Keyboard with a stethoscope looping over it

Healthcare's cybersecurity wake-up call: A 5-step resilience plan

Governance is crucial for security teams, especially when they're responsible for assets they don't fully control. A governance model that promotes shared responsibility across the organization is necessary to maintain an appropriate level of security. This model goes beyond just day-to-day operations, involving leadership, policies, and oversight to ensure that cybersecurity efforts are unified and integrated at every level.

We work with our partners to develop and evolve their security governance, focusing on several key principles:

Stakeholder engagement: It's important to get everyone involved in the security process, from the top leadership to operational teams and even external partners. This ensures a wide range of perspectives and broad support for cybersecurity initiatives.
Building a security-first culture: Security should be a core part of all business operations. It's about creating a mindset where everyone understands their role in keeping the company safe. Leadership plays a key role in setting this tone and supporting the governance structure.
Defining roles and collaboration: Clear roles and responsibilities help eliminate confusion and build accountability. Encouraging teamwork across departments is key to a unified approach to managing cybersecurity risks.
Integration with business objectives: The security strategy should support and be aligned with the company's overall goals and risk tolerance, ensuring that cybersecurity efforts add value and help achieve strategic objectives.
Transparency and accountability: Open communication about risks, vulnerabilities, and performance helps everyone understand their part in cybersecurity. Using clear metrics and agreements can guide behavior, align resources, and ensure everyone is focused on the right goals.
Agile decision-making: Companies need to be able to make quick, informed decisions in response to new threats or opportunities. Governance should provide the flexibility to adapt to these challenges efficiently.
Continuous improvement: The digital world is always changing, so it's important to regularly update and refine governance practices. Keeping a roadmap and project list helps prioritize efforts, guide investments, and keep everyone informed.

Why focus on the supply chain? Because securing it tackles the wider risks that come with complex business operations.

In today's interconnected business environment, managing the security of the supply chain is crucial. This involves overseeing a network of third-party providers of software, hardware, and services that are vital to operations. Recognizing the risks these external parties can introduce, it's important to have a strategy that ensures the safety, privacy, and availability of critical services and infrastructure. At West Monroe, we're committed to leading the way in supply chain security, guided by several key principles:

Validating supplier security: It's essential to regularly check and confirm the security practices of our suppliers. This helps ensure they meet our high standards and contribute to a safer supply chain.
Promoting a culture of security: We believe in working together, sharing knowledge, and educating everyone involved—inside and outside the organization. A united approach and shared responsibility are vital for a strong defense against cyber threats.
Keeping a close watch: We use ongoing monitoring to keep an eye on our suppliers' security status. This allows us to quickly spot and respond to any potential issues.
Being ready to respond: We have detailed plans in place for dealing with security incidents involving our suppliers. This ensures we can act fast and minimize any negative effects.
Controlling access based on need: We make sure access to our systems is given only when necessary, based on the importance of the supplier. This reduces the chance of security problems.
Securing the entire supplier relationship: We integrate security into every stage of our relationship with suppliers—from the first evaluation through to the end. This means security is always a top priority.

NIST 2.0 Impacts by Industry

Challenges and updates for utilities

The updates in NIST CSF 2.0 are particularly important for utility companies due to their reliance on international components and diverse supplier networks. This creates vulnerabilities, as seen with the Log4j exploit. Managing these risks requires continuous monitoring of suppliers, verifying their security measures, and understanding the supply chain through Software and Hardware Bill of Materials.

Additional benefits for utilities

The NIST CSF helps utility companies not only meet but exceed regulatory requirements, like those from the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). It offers a thorough approach to cybersecurity, identifying and mitigating risks beyond standard compliance. This is crucial for areas like the IT environment, which is a common entry point for security breaches.

By tracking cybersecurity performance metrics, utilities can manage their security strategies more effectively, identifying strengths and vulnerabilities. This data-driven approach helps in making informed decisions on resource allocation, adapting to evolving threats, and continuously improving cybersecurity posture.

Challenges and updates for healthcare

The adoption of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is particularly significant for healthcare organizations, given their unique vulnerabilities and the critical nature of their services. Healthcare companies manage a vast amount of sensitive patient data, making them prime targets for cyberattacks. These attacks can lead to significant data breaches, compromising patient privacy, and interrupting critical healthcare services.

Healthcare organizations are increasingly adopting the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to navigate their unique cybersecurity challenges. A recent report by KLAS and the American Hospital Association reveals that 71% of healthcare organizations deploy the NIST CSF, with 57% citing it as their primary cybersecurity framework. This adoption is critical for protecting sensitive patient data and ensuring the uninterrupted delivery of healthcare services.

Proactive risk management

Healthcare organizations face specific challenges such as the need to protect patient information while ensuring uninterrupted access to critical health services. The NIST CSF 2.0's emphasis on governance and supply chain security is crucial for these organizations. It helps them address the complex cybersecurity threats arising from the increasing use of digital health technologies such as electronic health records (EHRs), telemedicine, and mobile health applications. These technologies, while beneficial, introduce new vulnerabilities and potential entry points for cyber-attacks.

The adoption of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is particularly significant for the manufacturing sector, which faces unique cybersecurity challenges due to the increasing integration of digital technologies and the Internet of Things (IoT) in production processes. Manufacturers are at risk of cyber-attacks that can disrupt operations, compromise intellectual property, and affect the supply chain. The NIST CSF 2.0 offers a comprehensive approach to managing these risks, emphasizing the importance of governance and supply chain security.

Implementing the NIST CSF 2.0 enables manufacturers to better protect their digital and physical assets. The framework's focus on supply chain security is crucial for manufacturers who rely on a complex network of suppliers and partners. By following the NIST CSF 2.0, manufacturers can improve their cybersecurity posture, ensuring the integrity, confidentiality, and availability of their systems and data. This not only helps in safeguarding against cyber threats but also supports regulatory compliance and builds trust with customers and partners.

Conclusion

The NIST Cybersecurity Framework 2.0 represents a pivotal advancement in the collective effort to fortify cyber resilience across industries. By introducing the Govern function and placing a renewed emphasis on supply chain risk management, this updated framework addresses critical vulnerabilities and aligns cybersecurity practices with the strategic objectives of organizations. West Monroe's proactive adoption and integration of these guidelines underscore the importance of governance and a security-first culture in navigating the complexities of today's digital landscape.

As businesses continue to evolve amid a backdrop of increasing cyber threats, the principles laid out in the NIST CSF 2.0 offer a comprehensive roadmap for enhancing security postures, fostering stakeholder engagement, and ensuring the continuous improvement of cybersecurity measures. Embracing these guidelines not only mitigates risks but also positions organizations to thrive in an era where digital resilience is synonymous with business success.