The American National Institute for Standards and Technology (NIST) has released a draft of version 2.0 of its Cybersecurity Framework (CSF), which is open for public comments until November 4th. The new version of the framework represents a major shift in its scope, now encompassing all organizations regardless of industry, size, or location.
One significant change in the new CSF version is the addition of a new function called “Govern.” This function joins the previously known functions of “Identify, Protect, Detect, Respond, and Recover.” The addition of Govern emphasizes the fact that cybersecurity is a major source of enterprise risk, ranking alongside legal and financial risks as considerations for senior leadership.
The disconnect between boards and Chief Information Security Officers (CISOs) is a significant problem in the cybersecurity field. A recent study published in the Harvard Business Review reveals the disconnect between board members’ attitudes and activities around cybersecurity. The study found that only 67% of board members believe human error is the biggest cyber vulnerability, despite evidence indicating that human error accounts for 95% of cybersecurity incidents.
Additionally, the study revealed that while 65% of board members believe their organization is at risk of a material cyberattack, only 48% of CISOs share that view. This disconnect highlights the need for improved communication and understanding between boards and CISOs.
To bridge this gap, organizations need to bring cybersecurity risk management to the board level. The U.S. Securities and Exchange Commission (SEC) recently adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. While the SEC decided not to require disclosure about the cybersecurity expertise of board members, it emphasized the need for management teams, including CISOs, to have conversations about risk management with the board.
The new version of the NIST CSF, with the addition of the Govern function, highlights the responsibility of CISOs to establish and monitor the organization’s cybersecurity risk management strategy. This approach emphasizes the need for CISOs to align their decision-making with the organization’s management. It also expands the role of CISOs beyond technical expertise and risk management to incorporating cybersecurity into the organization’s broader enterprise risk management strategy.
One way to facilitate communication between boards and CISOs is through cyber risk quantification. This approach combines cybersecurity expertise with business-oriented risk management, allowing both parties to speak the same language. Cyber risk quantification involves understanding threats to the organization and the potential financial impact of a breach to critical assets. This information can help stakeholders approve budgets and prioritize cybersecurity initiatives.
Overall, the evolving roles of CISOs and boards in cybersecurity reflect the need for better communication and understanding. The addition of the Govern function in the NIST CSF and the emphasis on risk management in SEC rules highlight the importance of incorporating cybersecurity into organizational strategy. By embracing cyber risk quantification, organizations can bridge the gap between technical cybersecurity concerns and business-oriented risk management.