In our recent posts and webinars, we’ve been exploring the five original functions of NIST’s Cybersecurity Framework and discussing how they give small and mid-sized businesses a clear strategy for understanding, prioritizing, and communicating their cybersecurity efforts. But we’re not quite done yet.
In February 2024, NIST released the CSF 2.0, incorporating a new function: Govern.
The Basics of the Govern Function
While the original framework featured the Protect, Detect, Respond, Recover, and Identify functions, the update addresses the often-overlooked governance aspect. The Govern function helps smaller organizations give cybersecurity the priority it deserves and develop a governance model that aligns with your business objectives, fosters accountability, and helps you proactively manage cybersecurity risks.
Key components of the “Govern” function include:
Why Should Smaller Businesses Care about Governance?
Small and mid-sized companies are often challenged by limited budgets and staffing. As a result, cybersecurity often doesn’t receive the attention it should. However, these businesses' cyber threats can be significant and potentially just as devastating as a financial or reputational catastrophe. Despite limited resources, a structured cyber governance framework can help you manage risks more effectively.
Cyber governance allows you to:
“…the move to risk-driven strategies can seem like a daunting task, but it doesn’t need to be. Most organizations already have many of the building blocks in place to get started and can align current and future investments to overall organizational risk tolerance levels over a short period of time.”
Source: NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within an Organization’s Security Program
Enterprise Strategy Group/Arctic Wolf, June 2024
Getting Started: Implementing the Govern Function in Your Organization
As with the other functions of the NIST framework, implementing the Govern function is a step-by-step process. Here’s a brief overview:
Step 1. Establish Leadership Commitment and Accountability
Effective governance starts with clear commitment from leadership. Executives and managers should demonstrate the importance of cybersecurity through active involvement and clear communication.
Key steps to accomplish this include:
Step 2. Define and Document Cybersecurity Roles and Responsibilities
It’s vital to ensure everyone understands their part in managing security risks. This can be especially crucial for smaller companies, where people often wear multiple hats.
Helpful tasks include:
Step 3. Integrate Cybersecurity with Your Business Strategy
The Govern function emphasizes aligning cybersecurity policies with business objectives. In a smaller company, this can help ensure your resources are allocated effectively and that cybersecurity is embedded into your day-to-day operations.
Steps to accomplish this include:
Step 4. Align Cybersecurity with Overall Risk Management
Risk management and cybersecurity go hand in hand. When implementing the Govern function, be sure to incorporate cybersecurity into broader risk management efforts, treating cyber risks like any other operational risk. Steps for alignment include:
Step 5. Emphasize Continuous Monitoring and Improvement
Cybersecurity governance is an ongoing process and requires regular monitoring and improvement to adapt to new threats and changing business needs.
For smaller companies, this involves:
The Govern function of the NIST Cybersecurity Framework 2.0 empowers smaller companies to take control of cybersecurity through structured governance. Despite resource limitations, adopting a governance model helps you manage risks, build resilience, and support business growth.
Embracing the Govern function enables you to view cybersecurity as an essential business asset, fostering resilience and preparing for the challenges of tomorrow’s digital landscape.
In our upcoming webinar, we’ll examine the Govern function more in-depth. Don’t miss this opportunity to hear directly from the experts about the smartest, most efficient ways to implement this important function into your organization’s cybersecurity strategy.
You're invited to join us on November 21st at 1 PM EST for "Establishing Accountability and Compliance for Long-Term Cybersecurity Success."