The chances of an organization falling victim to a cyberattack are now much higher than before. Imperva’s 2019 Cyberthreat Defense Report stated that in comparison to last year, the percentage of a successful cyberattack has reached up to 78%.  Despite numerous cyberattacks in the past few years, organizations are still lagging when it comes to quick identification of potential threats, or instant response against cyberattacks. The advanced tools and technologies are benefitting both the sides – security professionals as well as cybercriminals. For instance, anti-forensic techniques such as overwriting, use of disk sanitizers, or metadata erasers, help the perpetrators in hiding their digital footprints. In such a case, the investigation gets delayed and faces increased costs. Every upcoming technology is now susceptible to a wide range of cyber threats.
As a solution to this challenge, the U.S. National Institute of Standards and Technology (NIST) compiled a document called the NICE Cybersecurity Framework. This document consists of a policy framework on how private, public and academic sectors can establish a taxonomy and common lexicon that describes the cybersecurity work and workers irrespective of where or for whom the work is performed.
NICE Cybersecurity Framework Explained
In 2014, the United States NIST released a document titled “Framework for Improving Critical Infrastructure Cybersecurity.” The policies dictated under the document were meant to enhance the security and resilience of the nation’s “critical infrastructure.” Its primary motive is to develop a common language, set of standards, and a series of possible goals that can help improve the cybersecurity standing of an organization. The framework was then re-drafted in 2017, version 1.1. The new version was publicly announced on April 2018, with additional information like –
- How to perform self-assessments,
- Other details on supply chain risk management, and
- How to better interact with supply chain stakeholders.
Overall, the NICE Framework enables organizations to put their best foot forward in the form of security practices that can improve their risk management strategies. It is entirely optional for an organization to follow these policies. These policies have been drafted after considering its scalability and gradual implementation.
The Three Components of the NICE Cybersecurity Framework
There are three components of the NICE cybersecurity framework – core, implementation tiers, and profiles.
1. NICE Cybersecurity Framework Core
The Core is a set of activities and outcomes arranged under Categories. It also stays aligned to the Informative References. The CSF Core can be understood as a translation layer between different teams. The communication between these multi-disciplinary teams needs to be non-technical in nature.
The Core is further classified into four elements, which are Functions, Categories, Subcategories, and Informative References. These five Functions are applied to risk management. Functions are then sub-divided into 23 Categories. After which Categories get distributed into 108 Sub-categories and respective Informative References.
Note: Informative References are detailed technical references that offer a starting point for organizations to implement practices.
2. Framework Implementation Tiers
Tiers display the degree to which an organization’s cybersecurity risk management practices are inclined towards the defined policies of the NICE framework. There are four levels: Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). The degree increases from Tier 1 to Tier 4.
3. Framework Profiles
The compliance of an organization’s unique requirements, objectives, risk appetite, and resources against the intended outcomes of the core, is referred to as profiles. Profiles are used to compare target outcomes and current profile to build a healthy cybersecurity posture. It also helps in framework optimization. There is no pre-defined way to do it, so, it is voluntary.
Why the NICE Framework Actually Matters
The NICE Framework is a combination of best practices and tools. It has multiple benefits, which are listed here –
a. Offers Common Language
The Cybersecurity Framework work towards creating a common ground for various industries and government. It simplifies how all can share their experiences, tactics, and strategies. In the end, the framework includes a set of references that is easily accessible and employable by professionals. One of the best attributes of this framework is that you can check whether your organization is following healthy cybersecurity strategies. These documented policies will then encourage you to improve your efforts. This framework is a great way to establish a strategy against new targets and re-engineer practices to enhance your organization’s current cybersecurity position.
According to Gartner, 30% of U.S. organizations have already adopted the NICE framework, and this percentage will reach 50% by 2020.  The report indicates that the increasing rate of adoption will reflect on the improvement of the framework. The shared successes and failures of organizations will help in collective growth. Its widespread adoption will contribute to creating automated tools and processes.
b. Focuses on Risk Management through Implementation Tiers
As cyber attackers are relying on new ways to target sensitive data, systems, and networks, security professionals also need to step up their game. They require to improve their defensive strategies. For this, a progressive framework is a necessity. The five functions of the NIST framework ascertain that the cybersecurity solutions and strategies of your organization address the issues specified under these functions. For healthy risk-informed strategy, the organization has the option to comply with the NICE framework. The four Framework Implementation Tiers help the organizations to shift from having response-based strategies to risk-informed ones. According to the risk-informed strategy, organizations pay close attention to possible cyber threats, their legal requirements, in-house regulations and constraints, and specific business goals.
c. Acts as a Base for Future Incentives and Penalties
The framework has been criticized for being voluntary. Even organizations voiced out to let government officials know that they are not ready for new regulations and compliance mandates. Despite all these criticisms, the framework kept on helping new ventures on getting a hold on their critical infrastructure. It is also beneficial for the existing leaders to enhance or improve their current cybersecurity position.
d. Continuously Improving Process – Evolving Nature
As cybersecurity is itself evolving with time, the NICE framework never lost its importance too. The framework is designed in a way that it keeps adapting to better strategies. In short, CSF acts as a proper guide to unfold the future and ongoing challenges of cybersecurity.
NICE Framework is a positive step towards a healthy environment. It is adaptable and improves itself. The framework is all about helping you achieve your cybersecurity goals while assessing your improvement at different stages. To defend an organization against cybercrimes, professionals need to take a proactive approach in ensuring that the security infrastructure stays ahead of the malicious intent of cybercriminals.
Sources: https://www.imperva.com/resources/reports/CyberEdge-2019-CDR-Report-v1.1.pdf  https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf  https://www.nist.gov/sites/default/files/documents/2018/02/06/session_iii_-_barrett_csf.pdf