Given NIST CSF is a baseline standard... how we all doing?

Well. Just had an interesting few weeks putting together almost 3 years' worth of NIST Cybersecurity Framework (CSF) assessment scores, and trying to come up with some sort of cross-industry average. It's no easy feat, and I'm no statistician. In retrospect, I should probably have found one. It took me the best part of a day working out how to make bars in a bar chart different colours in Excel. Again. I'm not the type that asks for help. Even my kids could have done a better job. Seeming they'll inherit 2-sec Towers one day, maybe I need to get them started.

Onto the meat of the results. Nobody "complies" (more about that later) with the NIST Cybersecurity Framework, yet it is intended as a bare minimum, best practice set of controls that companies should be adopting to resist cyber attacks.

It follows that there must be a furore of Cyber Attacks this very present moment, but let's face it, with the finger pointing at Boris, the media have got far better things to do. Cyber Attacks haven't diminished. They've gone up, but the scary thing is, they've been normalised. 2-sec's Threat Intelligence research shows no sign of attacks abating, just subtle shifts in behavioural and geographical patterns used by criminals.

It's tricky to put all this in one infographic, but the dotted blue line represents the "first score" of 100+ assessments, carried out mostly in the UK, mostly in London, mostly in companies with something to do with financial services. It would look a bit boring on its own, so have filled our compliance dashboard with data, that reflects the lowest scoring client we have worked with. But don't worry, I'll never tell them that. That's a conversation that will never go down well.

Which leads to the next point. Companies never believe they're as bad as we tell them they are, and there's always the debate around how we can inflate scores before we present to their Board. As hardened auditors, this is a debate that never happens. We must tell them how it is, warts and all. Once you've fallen into the trap of negotiating results with the company you're supposed to be independently auditing, you'll never get out.

I won't drill into each and every control section here, as need to go and make dinner, but I think it's fair to conclude that the state of cyber security is far worse than people think it is; and whilst NIST CSF isn't a new standard, it does map to the key elements of ISO 27001, PCI DSS and Cyber Essentials. If a Company doesn't comply with NIST, then highly unlikely they will comply with any of the other standards and vice versa.

I did say I'd come back to what "complies" means, and in conclusion (if I can have two), Compliance is whatever a Company think it means. Almost anyone can stick there hand up and say "Hey! We comply with NIST CSF!", but complying with a standard simply means you agree with it. Whether or not controls are actually in place or of sufficient maturity, is a different matter altogether, and would appear to be something only an external, independent auditor can assess on your behalf.

This isn't a sales spiel. It's common sense. So if you do want a high level overview of the NIST CSF, how it applies to your organisation, and a ball park estimate of how well you are faring, do get in touch. We do this for free, as long as we can present findings to your Executive, and actually do something to help raise the bar. Or pick it up off the floor for you.

Stay secure! Over and out.