Okay, that was harsh… But anyone who has had the “pleasure” of explaining the “simple complexity” of the NIST Cybersecurity Framework to management or other non-technical folks understands how challenging it can be.
As the Virtual CISO for several organizations that are moving towards adherence with the NIST CSF, here is how I have explained Tiers and Profiles, with good success.
Start by saying, “Tiers are essentially maturity levels.”
Tiers are the cybersecurity outcomes based on your organization’s business needs that you’ve selected from the core categories and subcategories that can range from partial (tier 1 = not mature) to adaptive (tier 4 = very mature). For example, a more mature, or adaptive, organization would have a risk management approach that is informed by business needs and works in tandem with the overall risk management program.
Having a tiered approach to the NIST framework allow your organization to measure your individual level of cybersecurity maturity and share this with senior management or a board of directors, essentially enabling you to benchmark performance. Once performance is measured and benchmarked, the board can understand the level to which the organization adheres to the NIST security controls.
Start by saying, “Profiles are states of being that help us understand where our information security program is today and where it is that we want our program to be at some future point.
Understanding your “Current Profile” and establishing a “Target Profile” that includes improvements to your maturity/Tiers is a valuable approach to creating a roadmap to improve your cybersecurity.
Profiles are also extensible. For example, there is a Financial Services Sector Specific Cybersecurity Profile that adds two additional functions (Governance and Supply Chain Management) to the five core functions of the NCSF (Identify, Protect, Detect, Respond and Recover). For each function, it adds some additional controls to address the function. You could choose to not use profiles, use NCSF as a profile, use a profile that has already been developed for your industry, or roll your own. Profiles are about optimizing the Cybersecurity Framework to best serve your organization. There is no “right” or “wrong” way to set your Profiles; it’s a very interesting concept.
To sum up:
Like all good information security frameworks, NIST starts with understanding your information assets, risks, risk appetite, regulations, contractual obligations, and other issues that affect risk and your risk management decisions. From there, you adapt the NIST CSF to your specific context, to maximize its and your ability to effectively manage risk.
“Effectively managing risk”—those words will resonate with senior management without an explanation.