What are the common challenges of implementing the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) is a voluntary set of standards, guidelines, and best practices to help organizations improve their cybersecurity posture. It is widely adopted by various sectors and industries, especially in the US, as a common language and reference for managing cyber risks. However, implementing the NIST CSF is not without challenges. In this article, we will discuss some of the common obstacles and how to overcome them.

1 Aligning with business goals

One of the first steps in implementing the NIST CSF is to identify the business objectives and priorities that drive the cybersecurity strategy. This requires a clear understanding of the organization's mission, vision, values, and stakeholders, as well as the threats and opportunities in the external environment. However, aligning cybersecurity with business goals can be difficult, especially if there is a lack of communication, collaboration, or support from the senior management and other business units. To overcome this challenge, it is important to establish a cross-functional team that can articulate the value proposition and benefits of the NIST CSF, and to communicate regularly and effectively with the relevant stakeholders.

Add your perspective

Rizwi Wun

Head Digital Assets and Technology Group RHTLaw Asia
Report contribution
I have always found that many of the senior management of parties we know would not take cybersecurity seriously, until it has an adverse impact on their organisation. It would be prudent to take pre-emptive steps, and with more communication and understanding, this awareness of the importance of cybersecurity might be achieved.

Like
Robert Linares

Driving compliance excellence: Empowering organizations for seamless PCI DSS compliance with expert consultation
Report contribution
One thing I've found helpful is inviting all parties to a two-part meeting, where everyone can first express their goals for their department along with any concerns that may arise. In the second meeting, we can work backwards by addressing the concerns in a way that aligns with their goals. Communication is key between teams to ensure progress for everyone.

Like

2 Assessing the current state

Another key step in implementing the NIST CSF is to assess the current state of the organization's cybersecurity maturity and capabilities, using the five functions of the framework: identify, protect, detect, respond, and recover. This requires a comprehensive and objective evaluation of the existing policies, processes, controls, tools, and resources that are in place to manage cyber risks. However, assessing the current state can be challenging, especially if there is a lack of data, metrics, or benchmarks to measure the performance and effectiveness of the cybersecurity program. To overcome this challenge, it is important to use a consistent and standardized methodology and toolset that can capture and analyze the relevant information and provide actionable insights.

Add your perspective

3 Developing a roadmap

Based on the assessment of the current state, the next step in implementing the NIST CSF is to develop a roadmap that outlines the desired outcomes, gaps, priorities, and actions to improve the cybersecurity posture. This requires a realistic and feasible plan that aligns with the business goals and the available resources and constraints. However, developing a roadmap can be challenging, especially if there is a lack of clarity, consensus, or commitment on the vision, scope, and timeline of the cybersecurity improvement project. To overcome this challenge, it is important to use a collaborative and iterative approach that can involve and engage the stakeholders, and to define clear roles, responsibilities, and expectations for the implementation.

Add your perspective

Rizwi Wun

Head Digital Assets and Technology Group RHTLaw Asia
Report contribution
As for a roadmap, there is no "one-size fits all" solution, but the fundamentals have to be understood, the weaknesses identified and addressed, and all precautions, reasonably foreseeable, should be taken. Ultimately, cost is also a factor.

Like

4 Executing the roadmap

Once the roadmap is developed, the final step in implementing the NIST CSF is to execute the roadmap and monitor the progress and results. This requires a disciplined and agile execution that can deliver the expected outcomes and benefits, while managing the risks and issues that may arise along the way. However, executing the roadmap can be challenging, especially if there is a lack of resources, skills, or support to implement the changes and sustain the improvements. To overcome this challenge, it is important to use a project management framework that can track and report on the performance and impact of the cybersecurity program, and to provide ongoing training, guidance, and feedback to the staff and stakeholders.

Add your perspective

5 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

What are the common challenges of implementing the NIST Cybersecurity Framework?

1

2

3

4

5

1 Aligning with business goals

2 Assessing the current state

3 Developing a roadmap

4 Executing the roadmap

5 Here’s what else to consider

IT Operations Management

Rate this article

Thanks for your feedback

More articles on IT Operations Management

More relevant reading

What are the common challenges of implementing the NIST Cybersecurity Framework?

1

2

3

4

5

1 Aligning with business goals

2 Assessing the current state

3 Developing a roadmap

4 Executing the roadmap

5 Here’s what else to consider

IT Operations Management

Rate this article

Thanks for your feedback

Explore Other Skills