10 very good reasons you should know your NIST score!
NIST is not new.
In fact it has been around since its first iteration in 2014.
The National Institute for Science and Technology (NIST) developed a cybersecurity rating system to make it easy for any organisation to show where they are in protecting their digital information, systems and organisation.
Like other frameworks, and there are a few, it has its good points and bad. One of its better points is that it is easy to implement although it can be a little labour intensive to start off.
The most important part is that it is a standard. A standard figure that any business can compare with any other business, no matter the size, who they are or where they are located.
NIST is not a competition. It is just a rating system, but it does become competative, both internally and external.
It is a way for any organisation to compare its cybersecurity capability internally as well as a standard for anyone else who may ask for it in the process of doing business.
It allows management to make decisions on who and how they want to do business with other organisations.
This framework is based on 5 areas of expertice: identify, detect, protect, respond and recover.
Each area of expertice has a number of questions and each question has a range of predetermined responses. The answers are scored ranging from 0 (nothing is in place) to 4 (a process is inplace, used at all times and supported and signed off by management). Once all the questions have been answered the score is talied up and devided by the number of questions (98).
This gives everyone a score beteen 0 and 4.
Most organisations when first questioned come in under 1. Still it is not a competition, so this is your start point.
1 – NIST is easy to understand
Every organisation can have a NIST score, it takes a couple of hours to sit down and honestly answer the 98 questions. This gives everyone the ability to have a starting point in protecting their organisation from a cyber event.
2 – NIST can be used to compare with others in your industry and across all industries
When it comes to camparing one NIST rating to another it is easy. If your score is 2.8 and you want to do business or a joint venture with another organisation who has a NIST score of under 1 then you need to be able to manage the risk associated with that score.
3 – You can use your score to track your progress
If your original NIST score is 1.2 and you have upgraded your technology, implemented policies and added proceedures then your NIST score will start to increase. For every change for the better that you put in place it increases your score. Small infremental changes that have a big impact on your protection in the digital world.
4 – NIST is Objective
We all have an opinion and we all look at life differently. NIST takes this into account and delivers an objective view of your business. The 98 questions are designed to apply objectivity to a sometimes subjective decision.
5 – A NIST Score is credible
Giving every organisation the ability to compare their cyber event capability on a level playing field means that you are comparing apples with other apples. You get a true rating of your cyber risk visibility. It also weeds out the unscruptious who think that can bluff their way through the world.
6 – NIST shows your cyber event risk
The difference between a rating of 1 and a rating of 3 is very different. A rating of 3 means that the risk of a cyber event is greatly reduced. Greatly reduced, faster recovered from and easier managed.
7 – Your NIST score is easy to understand
If the policy within your organisation is to only do business with organisations that have a NiST rating above 2 you have an understanding that the information that is going to go between the organisations is correctly managed.
8 – NIST is community based
There is a huge community that is starting to use the NIST rating as a measure for their cyber event resilience. They are there to help and best of all they have been there and done that.
9 – NIST adapts to the future
One of the best things about NIST is that in will handle the changes that are on the horizon. they will handle those changes not because the changes are known, no one knows them, but because it is a framework designed to protect your organisation. That framework allows an organisation to adapt its protection no matter what the changes are.
Not many people predicted the impact of social, mobile and IOT but it didn’t matter with a NIST environment because all you had to do was ADAPT to the changes.
10 – NIST gives your business a competitive advantage.
Any advantage in business is better than no advantage but the advantage that NIST gives to an organisation can be significant. NIST allows an organisation to develop policies and procedure that can be deployed within the organisation that predicts how other organisations will interact with it. In addition it allows an organisation to make management decisions based on fact. Nist can also be used in the marketing of the security around your organisation.
Management has now got a scientific way of managing the internal and external risk to the organisation in the digital and cyber arenas. This allows them to make objective based decisions, create systematic policies and invest in the right technologies to protect the organisation.
NIST is also great at weeding out those people that you are going to do business and organisation that are looking to do business with you. A NIST rating allows you to manage who you are going to do business with.
If management has a policy of only doing business with organisations that have a NIST rating above 2.5 it means that information passed to that organisation is going to be secured in the same way and with similar protective practices that you have in place.
So what is your NIST rating?
to discuss your cyber risk and business security
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intelectual propert from the digital world.