Don’t grow security maturity the hard way: Lessons from the NIST Framework

For a long time, when an attacker set out to breach a company’s network, the process was a lot like a physical burglary. The attacker would research the target (i.e. ‘case the joint’), get in quickly and unnoticed, collect all of the valuables that he could easily sell, and possibly leave behind an open basement window or other way to return later and collect more loot.

Today, data breaches are rarely isolated incidents. As security scribe Brian Krebs notes in a recent blog, malware can quickly shift into a sustained problem for victim organizations, because cybercriminals are mining, testing and harvesting stolen data – and holding it ransom for hefty fees. This increases the possibility of every employee within an organization becoming a weak spot in the security chain, as it’s never been easier for insiders to willingly (or accidentally) expose sensitive data. And unfortunately, many organizations increase their data security awareness, understanding and preparedness the hard way – waiting until after they’ve suffered an expensive, complicated incident to take stock of their sensitive information and strategically protect it.

If your organization is monitoring data for industry compliance but falling short of auditing for security attacks and threats, it’s time to re-evaluate your approach. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, a reference for assessing security maturity, is a good place to start. NIST’s core functions of effective cybersecurity include:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Covering every one of these bases includes not only planning for data recovery after a breach occurs, but also evaluating assets in a business environment, developing a risk management strategy, detecting suspicious user behavior and constantly analyzing to improve security. Failing to do so could leave your organization exposed to threats it wasn’t even aware it faced.

As Krebs explains: “Real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them.”

What’s hiding in your data? Read seven true data security stories.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.