This post is from my series of short essays on cybersecurity.

We humans have the unique capability of understanding the complex problems and patterns as composition of smaller simple building blocks. This allows us to visualize the large complex system or problem in smaller manageable components and dig deeper and analyze impact of individual component. When I started my journey into the cybersecurity space, I was overwhelmed with information, terminology, complex algorithms and protocols – stretching from human factor, economics to complex mathematical cryptography concepts. I wanted a framework that can help me to understand the big picture and allow me to dig into the depth at the same time. By dictionary definition a framework is a supporting structure that holds all parts together to accomplish the larger objective.

NIST framework for improving critical infrastructure cybersecurity or simply known as NIST Cybersecurity Framework (NIST-CSF) is originally designed to protect critical infrastructure like power plants etc. But NIST-CSF defines broad scope and clear definition of cybersecurity functions; it provides a wide range of concepts that can be implemented and analyzed in any other small or large organizational environment. Framework discusses the cybersecurity activities, outcome and information references to build the organization profile. 

According to NIST-CSF, the journey of cybersecurity activities start with identifying the assets and functions we want to protect – “Identify”. This is a critical step to set the path forward for other cybersecurity functions and understanding the risk and investment needed in other cybersecurity functions. In the “Identify” process we identify the assets in the system, risk associated with them, and assess the loss if those assets are attacked and compromised. Identification of assets is not a one time activity, but it is a continuous process. As organizations evolve and grow, new assets will be added and with technology improvements old assets will be decommissioned, new employees will join the company, old employees will change the role or depart from the company. To properly scale, it is better to build an automated system that can keep with the pace of the continuously changing environment. 

Once identification is done, the next step is to build the strategy to “Protect” the assets. Building a protection for assets needs a comprehensive strategy. It starts with training and education of the organization. Next step is implementing the security controls using the suitable technology solutions like firewalls, authentication system, authorization policies, encryption enforcement etc. In later posts I will discuss several of these technologies and security controls in detail. Once assets are identified and protections are put in place, the NIST-CSF discusses building the resiliency in the system by functions of “Detect”, “Respond” and “Recover”. These functions allow the system to operate safely and reliably. In the next post I will discuss system resiliency and the functions of detection, response, and recovery.