The National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) recently celebrated its fifth birthday. By the end of next year, Gartner estimates that 50 percent of organizations will have implemented the NIST Framework.
This is a long way from the early days when technology leaders instituted the CSF to provide cover and defend their actions. Back then, the belief was that if a breach happened, technology leaders could deflect blame by pointing out they followed the federal government’s recommendation, almost as a way to avoid getting in trouble.
However, as these organizations adopted the CSF an interesting thing happened. They began to find its utility, even if their original goal for using the CSF was perhaps not what the framework’s authors imagined. As I discussed on a recent GovLoop webinar with Matt Barrett, who was the NIST Program Manager, Cyber Security Framework (access it on-demand), there are many lessons learned from the first five years of implementing the CSF that can be used going forward.