NIST Cybersecurity Framework Why

Andrew and I have been busy getting the Cybersecurity Management Platform built to be usable by the masses. While working on the application and doing demos for several people, the question wasn't "how to use the application?" You see, Andrew built things so user friendly and uncomplicated that you do not have to be a seasoned IT Security Manager to manage your security profile.

The questions that comes up over and over again, is usually based around "why do I need to use the NIST Cybersecurity Framework" and "why do I need to use your Framework as a Service (FaaS)  to do it?"  Let me break them apart so I can show the value of each.

Why do I need to use the NIST Cybersecurity Framework?

Many of the reasons are documented on the NIST Cybersecurity Website and their FAQs cover many topics.   Let's start off with this: if you are a private business, you are not required to use the framework; it is completely voluntary.  No laws are in place saying "you must map your controls to the framework".  Before you stop reading here you may want to keep going.

If you work in the trading industry, you should know by now that the Securities and Exchange Commission, FINRA, and SIFMA are all leveraging the NIST Framework as their method of reviewing firms.  All of the industry regulatory groups are beginning to take cybersecurity very serious.  This started in April 2014 (shortly after the Framework 1.0 was published by NIST) when the SEC issued their first questions to the industry.  These questions were put together to help compliance personal assess their firms' cybersecurity preparedness. The NIST Framework was referred to in the introduction and also in the questions themselves.

One year later (April 2015) the SEC issued "Guidance Update No. 2015-02 - Cybersecurity Guidance". In this update a new reference to NIST made an appearance.

"OCIE’s Cybersecurity Initiative contained a sample list of requests for information, which included questions that tracked information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity.” See OCIE Cybersecurity Initiative, supra note 1. Funds and advisers may wish to consult this Framework when considering a strategy to mitigate exposure to cyber attacks. See National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf"

I think you can see where we are going here.  These references from FINRA and SIFMA also referenced the NIST Framework. All of the regulators across the trading industry are heavily referring to the framework over and over again.  With this happening, it is accomplishing one of the core goals of the framework: "to provide a common language to address security risk."

At this point in the post the "WHY do you need to use the NIST Cybersecurity Framework" becomes obvious.

Now onto the "WHY do you need to use FINSECTECH and our Cybersecurity Framework as a Service (FaaS) to manage your security profile."

Not only was the framework built to be a common language for discussing security risk,  it was also built to be cost-effective.  There are other security and IT management frameworks across the industry but NIST was developed by the US government to help protect the industry and it is FREE to use.  All other management frameworks products are costly to implement.

When we started looking at the NIST framework, we designed an application with the following key features:

  • The application had to be user friendly and simple.  After working in the industry for a multitude of years, we grew frustrated with tools that are overly complicated, hard to navigate and cumbersome to use. So we created an application that was different.
  • The application had to help people from a variety of different roles in an organization to work together towards an organization's risk management process. The communication features in the FINSECTECH FaaS glue together the tiers of the NIST Risk Management Framework.
  • The application had to provide the means for self assessment.  The NIST Framework recommends a rating system, using Tiers.  The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).  We have built this rating system into the FaaS.
  • The application had to be responsive. Security is a process that involves many people. An app that doesn't allow multiple people to work together quickly, doesn't allow them to work together at all. Our app is built to be fast and to scale across thousands of users.
  • The application had to adapt to the future. Threats and their responses are constantly evolving, so FINSECTECH is monitoring the NIST framework and updating the application with the latest changes.
  • The application had to help address the talent gap in the security field. With regulators starting to push the usage of the NIST Framework into new areas of business, the demand for security management surpasses the supply in the workforce.  By using the application, organizations can spend less time and resources trying to understand complex security regulations, managing documentation and spend more time on actual security related matters.
  • The application had to give insights into historical information and preserve information throughout a company's changing structure. We understand that keeping a CIO or IT Director for more than a couple of years in this market can be a challenge.  We wanted to provide their successor with a view to what your company's current profile is and the direction that it was moving in.  This will also decrease the amount of time for your new staff to get acclimatized to your environment and allowing them to set new direction quickly.

Now you can see WHY the usage of the FINSECTECH FaaS is a no-brainer for your company.