NAA (Not Another Acronym): What is NIST?

Not another acronym…

We’re not sure about you, but even we  struggle to keep up with all the different acronyms which, particularly within the IT industry, seem to constantly crop up everywhere.

One acronym our team came across lately is NIST and, yes, some of us had to look it up on Google. It turns out that NIST stands for National Institute of Standards and Technology and it’s not new. Based in the US, NIST has been around for 120 years, playing an essential role in enabling and measuring technical innovation not just in the US but all over the world.

Why should I care?

So, why is worth knowing one more acronym? And, why should we bother to understand what NIST do? The answer is simple and remarkably relevant: cybersecurity. We know this is a bit of a buzzword at the moment. Not a week seems to go by without news of a cyber or ransomware attack somewhere around the globe. You may have read about the Kaseya’s cyber-attack at the beginning of July (our blog “Good v REvil” provides a good summary). Not too long ago, the Lazio region in Italy was the subject of a very sophisticated ransomware attack that disabled all its IT systems and ended up disrupting the regional Covid-19 vaccination registrations. So, what role does NIST play in all this? A very important role, actually. NIST have developed a tool to measure cybersecurity.

NIST’s Cybersecurity Framework

 

This framework focuses on using business drivers to guide cybersecurity activities and reinforces the need for cybersecurity risks to be included in organisations’ risk management processes. The Framework consists of three parts: the Core, the Tiers, and the Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organisational Profiles. By using Profiles, the Framework can then help an organisation to align and prioritise its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. Finally, the Tiers provide a mechanism for organisations to view and understand the characteristics of their approach to managing cybersecurity risk, helping prioritise and achieve cybersecurity objectives.

A very important feature of NIST’s Cybersecurity Framework is its scalability as it can be easily adapted to organisations of all sizes, sectors and maturities. It is also outcome driven and does not mandate how an organisation can achieve these outcomes, meaning that whether you are part of a small company with a low cybersecurity budget or a large corporation with a million bucks’ budget, tiers and profiles can be tweaked and customised to achieve a result which is in line with your cybersecurity programme.

 

Education, Education, Education.

It would be rather reductive, however, to only associate NIST to the Cybersecurity Framework. Their work compasses several areas which range from cryptography to IoT (Internet of Things), ICS (Industrial Control Systems) and practical cybersecurity solutions such as password standards and guidelines. Another primary focus for NIST are education and training. In partnership with government and academia bodies, NIST have been leading the NICE (another acronym, sorry…) i.e., National Initiative for Cybersecurity Education since 2008. The NICE framework provides a common classification of cybersecurity roles and functions, by describing the responsibilities, skills and knowledge required to perform cybersecurity tasks. This framework is increasingly relied upon across all sectors to help address skills gaps and develop cybersecurity awareness and learning.

It doesn’t have to be complicated.

So, who would have thought that this simple acronym could have such an impact on organisations’ cybersecurity strategies? Being familiar with NIST Cybersecurity framework and general security guidelines is an important step in the right direction when it comes to protecting your organisation’s devices, IT systems and valuable data stored in such repositories.

In a world of complicated acronyms and obscure technical jargon, NIST provide clear and practical guidelines to tackle practical challenges which are part of our everyday lives. It could be as easy as ABC or 123 (as long as you don’t set these as your passwords! See NIST’s Password Guidelines)

Article By | Barbara Giunchi Burr