So, what makes the CSF different from NIST 800-53 or ISO 27001/27002? By definition, these are detailed regulatory documents which provide requirements for adhering to specific control standards. In comparison, the CSF provides a high-level framework for how to access and prioritize functions within a security program from these existing standards. Due to it’s high-level scope and common structure, the CSF is also much more suitable for those with non-technical backgrounds and C-Level executives. It was created with the realization in mind that many of the required controls and processes for a security program have already been created and duplicated across these standards. In effect, it provides the mechanisms for a common structure within the industry that allows for any organization to drive growth and maturity of cybersecurity practices, and to shift from a reactive state to a proactive state of risk management.
For organizations that are Federally regulated, the CSF may be of particular importance. Many top level Directors have expressed that an industry driven cybersecurity model is much more preferred over prescriptive regulatory approaches from the Federal government. Even though the CSF is currently voluntary for both public and private sectors, it is important to realize that with a high degree of probability, this will not be the case in the future. Discussions have already taken place amongst Federal regulators and Congressional lawmakers that this voluntary framework should be used as the baseline for best security practices, including assessing legal or regulatory exposure and for insurance purposes. If these types of suggestions become reality, implementing the CSF now could allow organizations much more flexibility and cost savings in how it is implemented.
In addition to staying ahead of possible new laws and federal mandates, the CSF provides any organization, regulated or not, a number of other benefits, all of which support a stronger cybersecurity posture. Some of these benefits include:
- A common language and structure across all industries
- Opportunities for collaboration amongst public and private sectors
- The ability to demonstrate due-diligence and due-care by adopting the framework
- Greater ease in adhering to compliance regulations or industry standards
- Improved cost efficiency
- Flexibility in using any existing security standards, such as HiTrust, 800-53, ISO 27002, etc.