Fundamentals of Adopting the NIST Cybersecurity Framework - A Review
EG - Information Governance Manager (UK Public Sector)
"This book is an essential resource for those with an interest in protecting their organisation and explains why a adopting the NIST-CSF framework is a vital opportunity for any organisation to demonstrate that cybersecurity is now accepted as a critical business competence.
It has previously been unclear where responsibility and accountability should lie within businesses for implementation of key Cybersecurity programmes and initiatives. This has led to insufficient funding, and lacked adequate resource within business. Adoption of the NIST Cybersecurity Framework helps ensure that cybersecurity remains at the heart of the organisation.
This book provides a holistic approach to getting the basics right and covers a great deal of the material for the NIST Cyber Security Professional (NCSP®) Foundation Certificate course too. It ensures that tasks can be allocated within the business and how to ensure that cyber is not just seen as a one off job, but as part of a cycle for continuous improvement and programmes are enhanced over time.
This book also highlights that it is not always about cybersecurity itself, but the perception of it. Realistically, businesses need their senior leaders engaged with the cybersecurity agenda. Initiatives which the board or senior leaders are behind are those which are more likely to succeed in the first place, but also to keep being successful overtime as they develop alongside the changing business environment.
The book contains some excellent context and history in order to immerse the reader fully in the framework. The book goes beyond describing how to protect your organisation from some of the risks around cyber attacks, but adds more of the learning from attacks which have occurred. This is a great way to gain this learning without having to experience the pain!
Some of the less considered sources of threats are also considered in the book, such as supply chain attacks. The text explains very well that cyber issues are far more than just technical ones. Fundamentally, asking questions about at a business or enterprise level is where you can achieve engagement.
Fundamentally, NIST-CSF is about governance. This means thinking about strategy and risk together to ensure you are capturing opportunities as well as challenge. It also means making the initiatives fit within the culture of the business.
This book is broken down into very readable chunks making it very easy to follow. The book provides very practical tips on adopting the frameworks; the "hows" as well as the "whys". It describes the framework and the key concepts associated with it. Each part is deconstructed with a clear explanation enabling the reader to explore the various elements of the framework, and how it all fits together. It contains both the detailed steps of establishing a cybersecurity programme and the wider issues to consider.
Adopting the Framework gives organisations many opportunities for improvements. As they undertake the relevant assessments, the gap will become apparent between where the organisation currently is and where it aspires to be. In order to achieve this improvement it will be necessary to explore whether this can be met by improving current abilities or whether a new programme of cybersecurity will be necessary.
This is a great resource and a must-read for any businesses embarking on the adoption of the NIST-CSF framework."