NIST Cybersecurity Framework (CSF) for Every Organization

Whether you work for a small organization where you know everyone’s name or a huge organization spread across the globe, good cyber security practices are an incredibly powerful tool that can mean the difference between quickly getting back to business as usual after a cyber incident or the organization having an uncertain future.

But let’s not get bogged down in fear, uncertainty, and doubt around cyber security. The challenge can seem insurmountable at times, but it’s possible to protect an organization - its people, data, and resources - from cyber risks with a bit of analysis, a touch of planning, and a heaping helping of know-how. Fortunately, a U.S. Government agency has already given you the tools you need to build a roadmap to follow to do exactly that.

Enter the NIST CSF

One of the key tools in RipRap Security’s utility belt is the NIST Cybersecurity Framework. NIST is a US Government organization that brings together technical and policy experts from across the government, industry, and academia. Their collective goal is to develop technologies, frameworks, and guides to help everyone, not just government agencies, address cyber risks. NIST’s Cybersecurity Framework (CSF) is a technology-neutral, modular framework that enables users to:

  • Understand their organization’s existing cyber security capabilities and posture

  • Develop a picture of what future cyber security capabilities looks like

  • Measure their progress between their current and future cyber security states

  • Act as a common language between internal and external stakeholders

At the CSF’s heart are five functions of cyber security realms that center around people, process, and technology:

  • Identify - how an organization understands its IT and security environment, assets, personnel, data, capabilities, and relationships

  • Protect - an organization’s safeguards that ensure that business can proceed as usual

  • Detect - the ability to uncover potential security events or incidents

  • Respond - the capacity to take follow-on actions not if, but when a cyber security event or incident occurs

  • Recover - the ability to successfully and completely recover following a cyber security event or incident

These five functions contain 23 categories and a whopping 108 subcategories, all of which can be used to give organizations a full picture of their current security posture and chart a course for improvement. So this sounds great and everything, but what’s the catch?

While the NIST CSF is an incredibly strong framework, it is not designed to provide specific implementation guidance on how an organization should go about improving their security posture. This leaves the organization in an untenable position for improving cyber security if they don’t already have a cyber security expert or security-informed IT personnel on-staff. In this situation, bringing on a cyber security consultancy is a great way to quickly and efficiently put an organization on the right path for improved security.

You’ll know if you found the right cyber security consultancy if they are using interviews with the organization’s executive and technical stakeholders to deep-dive into the mission, IT environment, people, and processes to identify which NIST CSF elements apply to your organization as well as the current security posture. The security experts should then be able to recommend what an organization’s security posture should look like in the future, based on your mission, risk, and priorities. Then, based on this future security posture, the experts should provide specific recommendations on how to reach this improved security posture.

RipRap Security’s approach is to group these specific recommendations into separate efforts as a part of a security improvement roadmap that can be executed over time. Our team breaks down roadmap items into those efforts which can be solely tackled by the organization’s own staff to save costs, as well as into efforts that an organization should consider partnering with RipRap Security’s own experts (or experts of the organization’s choice). This approach helps reduce the cost of cyber security improvement efforts, contributes to an increase in organizational buy-in, and elevates success rates of these efforts.

Wrapping it Up

Thinking about upping your security game using the NIST Cybersecurity Framework but need a little help? Please shoot us an email at to set up a free consultation about how we can support your security improvement efforts. We’re always here to help.

Founded by two former US Government cyber security operators, RipRap Security brings decades of experience to the table in order to protect purpose-driven organizations from cyber threats. We use fixed, predictable pricing and a tailored, prescriptive approach to protect our partners.