In our recent posts and webinars, we’ve been exploring the five original functions of NIST’s Cybersecurity Framework and discussing how they give small and mid-sized businesses a clear strategy for understanding, prioritizing, and communicating their cybersecurity efforts. But we’re not quite done yet.
In February 2024, NIST released the CSF 2.0, incorporating a new function: Govern.
The Basics of the Govern Function
While the original framework featured the Protect, Detect, Respond, Recover, and Identify functions, the update addresses the often-overlooked governance aspect. The Govern function helps smaller organizations give cybersecurity the priority it deserves and develop a governance model that aligns with your business objectives, fosters accountability, and helps you proactively manage cybersecurity risks.
Key components of the “Govern” function include:
- Leadership and Accountability: Ensuring cybersecurity is a leadership priority, and everyone understands who’s accountable for what.
- Cybersecurity Roles and Responsibilities: Defining roles, responsibilities, and authorities for specific cybersecurity tasks within your organization.
- Policy and Strategy Integration: Developing and implementing policies that integrate and align cybersecurity with your larger business strategy.
- Risk Management Alignment: Ensuring your cybersecurity strategies are aligned with your larger enterprise risk management.
- Continuous Monitoring and Improvement: Scheduling and conducting ongoing assessments of, and improvements to, your established cybersecurity practices.
Why Should Smaller Businesses Care about Governance?
Small and mid-sized companies are often challenged by limited budgets and staffing. As a result, cybersecurity often doesn’t receive the attention it should. However, these businesses' cyber threats can be significant and potentially just as devastating as a financial or reputational catastrophe. Despite limited resources, a structured cyber governance framework can help you manage risks more effectively.
Cyber governance allows you to:
- Reduce risk by prioritizing cybersecurity at all levels of your business operations.
- Build resilience against attacks by fostering a proactive cybersecurity culture.
- Maintain compliance with industry regulations, protecting against potential legal and financial repercussions.
- Enhance decision-making by providing clear policies and procedures around cybersecurity.
- Strengthen customer trust in an environment of increasing concern about data privacy and security.
- Support sustainable growth by positioning your company to grow without being derailed by preventable cyber incidents.
“…the move to risk-driven strategies can seem like a daunting task, but it doesn’t need to be. Most organizations already have many of the building blocks in place to get started and can align current and future investments to overall organizational risk tolerance levels over a short period of time.”
Source: NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within an Organization’s Security Program
Enterprise Strategy Group/Arctic Wolf, June 2024
Getting Started: Implementing the Govern Function in Your Organization
As with the other functions of the NIST framework, implementing the Govern function is a step-by-step process. Here’s a brief overview:
Step 1. Establish Leadership Commitment and Accountability
Effective governance starts with clear commitment from leadership. Executives and managers should demonstrate the importance of cybersecurity through active involvement and clear communication.
Key steps to accomplish this include:
- Appointing a Cybersecurity Lead: Designate an individual or team responsible for overseeing cybersecurity. Depending on your resources, this can be an in-house staff member or an outsourced specialist.
- Defining Accountability: Ensure every department understands its role in maintaining cybersecurity, from human resources to IT to finance.
- Regular Communication: Schedule periodic reviews of cybersecurity status with leadership and communicate updates to all employees.
Step 2. Define and Document Cybersecurity Roles and Responsibilities
It’s vital to ensure everyone understands their part in managing security risks. This can be especially crucial for smaller companies, where people often wear multiple hats.
Helpful tasks include:
- Creating a Role Map: Outline specific cybersecurity tasks and assign them to specific departments. For instance, IT may handle technical defenses, while HR oversees employee training on cybersecurity policies. Document the tasks and responsible parties, and ensure the information is visible.
- Providing Training: Equip your entire team with the knowledge and skills they need for their roles, particularly regarding safe data practices, incident reporting, and compliance requirements.
Step 3. Integrate Cybersecurity with Your Business Strategy
The Govern function emphasizes aligning cybersecurity policies with business objectives. In a smaller company, this can help ensure your resources are allocated effectively and that cybersecurity is embedded into your day-to-day operations.
Steps to accomplish this include:
- Aligning Security with Business Goals: Ensure cybersecurity measures directly support specific business goals, such as protecting customer data, maximizing uptime, or ensuring compliance.
- Developing Policies and Procedures: Create documented policies that outline how you manage cybersecurity across the organization. These should cover data handling, access control, and incident response procedures.
- Risk-Based Decision-Making: Make decisions based on risk levels, focusing your resources on the most critical assets and vulnerabilities.
Step 4. Align Cybersecurity with Overall Risk Management
Risk management and cybersecurity go hand in hand. When implementing the Govern function, be sure to incorporate cybersecurity into broader risk management efforts, treating cyber risks like any other operational risk. Steps for alignment include:
- Conducting a Risk Assessment: Identify your business's most significant cybersecurity risks, focusing on potential impacts on critical assets.
- Prioritizing Risks: Based on the assessment, prioritize cybersecurity risks according to their potential impact and likelihood. This prioritization ensures that your resources are applied first to high-risk areas.
- Updating Continuously: Regular updates to your risk assessment process are essential because cyber threats evolve rapidly.
Step 5. Emphasize Continuous Monitoring and Improvement
Cybersecurity governance is an ongoing process and requires regular monitoring and improvement to adapt to new threats and changing business needs.
For smaller companies, this involves:
- Developing a Process for Consistent Monitoring: Use monitoring tools to keep track of cybersecurity events and vulnerabilities. Companies with limited resources can benefit from affordable or open-source tools for baseline monitoring.
- Conducting Regular Audits and Assessments: Regularly review cybersecurity policies, procedures, and controls to ensure they remain effective and aligned with current threats.
- Fostering a Culture of Improvement: Encourage (and help) all employees to stay aware of cybersecurity best practices, provide refresher training as needed, and foster a culture where security is everyone’s responsibility.
The Govern function of the NIST Cybersecurity Framework 2.0 empowers smaller companies to take control of cybersecurity through structured governance. Despite resource limitations, adopting a governance model helps you manage risks, build resilience, and support business growth.
Embracing the Govern function enables you to view cybersecurity as an essential business asset, fostering resilience and preparing for the challenges of tomorrow’s digital landscape.
In our upcoming webinar, we’ll examine the Govern function more in-depth. Don’t miss this opportunity to hear directly from the experts about the smartest, most efficient ways to implement this important function into your organization’s cybersecurity strategy.
Join us for the next session of our Cybersecurity Webinar Series:
You're invited to join us on November 21st at 1 PM EST for "Establishing Accountability and Compliance for Long-Term Cybersecurity Success."