In the realm of cybersecurity risk management, two prominent frameworks have gained widespread recognition – the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and the CIS (Center for Internet Security) Controls. These frameworks provide businesses and organizations with a structured approach to managing cyber risks and protecting sensitive information.
In this blog, we delve into a detailed comparison of the NIST CSF and CIS Controls, exploring their key features, benefits, and considerations for choosing one over the other.
Understanding the NIST CSF
The NIST CSF is a voluntary framework developed by the National Institute of Standards and Technology. The framework is built upon five core functions—each encompassing various categories and subcategories:
Identify • Protect • Detect • Respond • Recover
In short, Identify all of the IT assets you will Protect. Deploy tools/processes to Detect anomalies that could lead to disaster quickly. Respond rapidly to any threats; if compromised, Recover swiftly and efficiently. It sounds simple, but it’s not.
The first step in an effective cybersecurity risk management program starts with a comprehensive understanding of your organization’s digital assets and potential vulnerabilities relative to the current cyber threat landscape. Expect this ‘discovery phase’ to be painstakingly detailed and to take a lot of time, as it should be thorough and exhaustive.
Once they’ve identified the assets and resources that need to be protected, they should install a carefully curated and layered suite of state-of-the-art cybersecurity risk management tools. These tools and related services aim to monitor and safeguard all network activity and stop cyber criminals dead in their tracks.
They should then guide you through the development of sound security policies and the implementation of strong security controls. Since Cybersecurity Experts know that employees are the number one attack vector, expect them to implement an ongoing data security training program.
The purpose of data security training is to bring employees up to speed on best practices designed to protect your sensitive information and ensure the continued operation of critical systems in the face of evolving cyber threats.
There will be multiple tools in place designed to rapidly detect any intrusion, minimizing the potential for any damaging impact.
Time is not your friend when you’re under a cyber attack. Response to any threat should be rapid, targeted, and effective in neutralizing the threat.
If a threat does manage to get past your layered defenses, it’s important to have a recovery strategy in place—prior to any event. Expect your Cybersecurity Experts to develop a Backup and Disaster Recovery strategy that has been tested adequately and is kept up to date.
One of the key benefits of NIST CSF is that it provides a comprehensive, flexible approach to managing cybersecurity risks that can be adapted to a wide range of organizations and industries. Therein lies the complexity. This flexibility makes it particularly useful for organizations that are just starting to implement a cybersecurity program or need to establish a baseline for their current program.
The framework is also designed to be scalable so that organizations can tailor it to their specific needs. For example, a small organization may focus on implementing the most essential controls within each function, while a larger organization will need to implement a more comprehensive and robust set of controls.
Exploring the CIS Controls
The CIS Critical Security Controls Version 8 was developed by the Center for Internet Security. They were previously known as the SANS Critical Security Controls (SANS Top 20).
“CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in V8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.”
“The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks.
CIS Controls V8 has been enhanced to keep up with modern systems and software. The movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update. CIS supports an enterprise’s security as they move to both fully cloud and hybrid environments.” https://www.cisecurity.org
The CIS Controls provide organizations with actionable and practical steps to bolster their security defenses and address common vulnerabilities. The controls are:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
One of the key benefits of CIS Controls is that they are designed to be prescriptive, providing specific guidance on how to implement each control. This makes it particularly useful for organizations seeking to implement security controls tailored to their specific security requirements.
Organizations can focus their efforts on implementing the controls that will provide them with the greatest benefit. This can be especially helpful for those with limited resources who need to prioritize their cybersecurity efforts.
Choosing the Right Framework
When considering which framework to adopt, it is essential to evaluate the specific needs and goals of the organization. Here are some factors to consider:
Flexibility vs. Prescriptiveness
The NIST CSF is known for its flexibility, allowing organizations to tailor their approach to cybersecurity risk management based on their unique requirements. It offers a broad set of guidelines and best practices.
In contrast, the CIS Controls provide a more prescriptive approach, offering clear and prioritized security controls that organizations can implement — one at a time.
The level of maturity in an organization's cybersecurity program is a significant consideration. The NIST CSF is well-suited for organizations that are starting their cybersecurity journey or seeking to establish a comprehensive baseline. It offers guidance to develop a robust security program.
Conversely, the CIS Controls benefit organizations looking for a more refined approach, especially those with existing security programs seeking specific recommendations designed to enhance defenses in a particular area.
Organizations operating within specific industries may have regulatory or compliance requirements, such as HIPAA (Health Insurance Portability Act), Cybersecurity Maturity Model Certification (CMMC), General Data Protection Regulation (GDPR), Federal Trade Commission, Payment Card Industry (PCI), etc.
The NIST CSF is widely recognized and referenced by these and other regulatory bodies, making it a popular choice for organizations aiming to align with industry standards.
On the other hand, CIS Controls are leveraged by organizations seeking a concise set of controls that align with current industry best practices.
When choosing which approach to use, considering the available resources, including budget, personnel, and expertise, is crucial.
The NIST CSF allows organizations to tailor a complex implementation strategy based on available resources and risk tolerance.
The CIS Controls provide clear action steps, enabling organizations to focus their efforts on implementing specific prescribed controls.
Both the National Institute of Standards and Technology and the Center for Internet Security provide plenty of ‘how to implement’ material that can be of immense value.
It can be tempting to use these guides to craft a DIY cybersecurity risk management solution for your organization or business. However, because the stakes are so high and the technology so complex, this is best left to trained professionals.
Both the NIST CSF and CIS Controls offer valuable frameworks for managing cybersecurity risks effectively. The choice between the two depends on an organization's specific needs, maturity level, compliance requirements, and resource allocation.
Ultimately, it is important to remember that these frameworks are not mutually exclusive, and organizations can integrate components from both to create a robust cybersecurity risk management approach. By leveraging the strengths of each framework, organizations can enhance their cybersecurity posture and mitigate evolving cyber threats effectively.
Which approach is best for your business or organization? Consult with a Cybersecurity professional to weigh the pros and cons of each. Then, let the professional craft the solution.
The important thing to remember is this — cyber criminals are using increasingly sophisticated tools and strategies to attack your business or organization. The sooner you choose a framework and implement a cybersecurity risk management program, the better.