Why NIST included “Governance” in its CSF 2.0

The National Institute of Standards and Technology (NIST) has been at the forefront of promoting cybersecurity best practices and standards. One of its most notable contributions is the Cybersecurity Framework, which provides organizations with a structured approach to managing and mitigating cybersecurity risks. In its version 2 release, NIST introduced the “Govern” section, a significant addition that underscores the importance of governance in cybersecurity.

The Cybersecurity Framework (CSF): A Quick Overview

Before diving into the “Govern” section, let’s briefly revisit the NIST Cybersecurity Framework.

It consists of three primary components: the “Core,” “Profile,” and “Implementation Tiers.”

The Core is divided into five functions: Identify, Protect, Detect, Respond, and Recover. Each function is further broken down into categories and subcategories, offering a detailed set of guidelines for improving cybersecurity posture.

The “Govern” section, introduced in Version 2 of the Cybersecurity Framework, serves as a foundation for the entire framework. It provides overarching guidance and principles that organizations need to establish and maintain effective cybersecurity governance.

Reasons Behind the Inclusion of the “Govern” Section

1. Elevating the Importance of Governance
   • Governance sets the tone for cybersecurity within an organization. By adding a dedicated “Govern” section, NIST emphasizes that governance is a fundamental component of effective cybersecurity.
2. Aligning with Industry Trends
   • The cybersecurity landscape is constantly evolving, with new threats and regulations emerging. Incorporating governance aligns the framework with contemporary cybersecurity practices. Cybercriminals continually adapt their tactics to exploit weaknesses. As a result, cybersecurity strategies must adapt to keep pace. The inclusion of the “Govern” section acknowledges the dynamic nature of the field and the need for organizations to remain agile and responsive to evolving threats.
3. Supporting Risk Management
   • Effective governance aids in identifying, assessing, and mitigating cybersecurity risks. It provides the structure needed for risk management, which is central to the framework’s goals. Governance sets the stage for organizations to systematically identify cybersecurity risks. This involves recognizing potential threats, vulnerabilities, and the potential impact of security incidents.
4. Enhancing Communication and Collaboration
   • Governance fosters collaboration among different departments within an organization. It encourages communication between cybersecurity and business leaders, enabling a more holistic approach to security.
5. Meeting Regulatory Requirements
   • Many industries are subject to cybersecurity regulations. The “Govern” section helps organizations in regulated sectors meet compliance requirements by providing a governance foundation.

Implications and Benefits

1. Holistic Approach: The “Govern” section encourages organizations to take a holistic approach to cybersecurity, considering not only technical aspects but also human, organizational, and regulatory factors.
2. Risk Reduction: Effective governance contributes to reducing cybersecurity risks, helping organizations protect sensitive data and maintain business continuity.
3. Regulatory Compliance: The inclusion of governance assists organizations in complying with industry-specific regulations and standards.
4. Strategic Decision-Making: By emphasizing governance, the framework equips organizations to make informed, strategic decisions about their cybersecurity investments.

Conclusion

The inclusion of the “Govern” section in NIST’s Cybersecurity Framework Version 2 reflects the evolving nature of cybersecurity. It recognizes the critical role that governance plays in achieving and maintaining strong cybersecurity postures. Emphasizing governance provides organizations with a structured approach to cybersecurity that goes beyond technology, focusing on people, processes, and risk management. As the cybersecurity landscape continues to evolve, this addition is a testament to NIST’s commitment to staying relevant and ensuring that organizations have the best tools and guidance to protect their digital assets.

Dimitris Gkoutzamanis

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

• Dimitris Gkoutzamanis

  https://cisotimes.com/author/dimitris/

  The "World's Most Harmful Cyber Crime Group" Taken Down
• Dimitris Gkoutzamanis

  https://cisotimes.com/author/dimitris/

  The Canadian Clampdown on Flipper Zero: A Move Against Auto Theft
• Dimitris Gkoutzamanis

  https://cisotimes.com/author/dimitris/

  CISA Warns on Known Exploited Vulnerability 'Roundcube'
• Dimitris Gkoutzamanis

  https://cisotimes.com/author/dimitris/

  HPE Hacked by Russian Group Following Microsoft Email Breach