Part 2: Using a Risk Assessment to Improve Your Cybersecurity


Leveraging the NIST Cybersecurity Framework (CSF)

By: Shawn Brown, COO, Snap Tech IT

If you missed Part 1 of this series, “What is the NIST Cybersecurity Framework (CSF)?,” I would encourage you to go back and check out that article so that you have a basic understanding of the NIST CSF. In this article we are going to talk about how you can use a Risk Assessment to identify the Low, Medium, High, and Critical Risks in your company as it relates to the cybersecurity.

The NIST CSF is a fantastic framework and it covers all aspects of cybersecurity and provides a lot of flexibility; however, it can be a little intimidating and a lot of companies just don’t know how to get started.

Where do you start?

We like to start with a Risk Assessment that is based on the NIST CSF. We learned in Part 1, that there are 5 Functions, 23 Categories, and 108 subcategories that make up the Framework Core. We also know that there are different levels of risk in each of these categories and subcategories. For example, and depending on your environment, if your computer screen does not automatically lock after 15 minutes might be less of a Risk than not having a threat detection technology in your network or not performing End User Security Awareness Training.

You could perform a Risk Assessment and evaluate your overall cybersecurity risk by simply downloading the NIST CSF 1.1 Excel document, reviewing each Function, Category, and Subcategory and using the Informative References to understand the desired outcomes for each subcategory and evaluate how well your company is achieving the desired outcome. For a lot of companies, this is a difficult task to perform because they do not have the knowledge, expertise, or time to complete an exercise like this.

What if we approached this task using the Pareto Principle, or the 80/20 rule? Instead of evaluating your company against 108 subcategories, what if you were able to answer around 20 easy to understand questions that helped you identify the high and critical risks at your company based on Impact and Probability?

Self-Assessment Tool

To help companies perform a Risk Assessment and improve their cybersecurity, Snap Tech IT offers companies access to a Self-Assessment tool that enables them to answer around 20 easy to understand questions about their company and environment. Once the company completes the Self-Assessment, they have immediate access to a Risk Assessment report that is based on the NIST CSF 1.1.

Risk Assessment Rating

This report provides an Overall Risk Assessment rating that helps you identify your security strengths and weaknesses and provides advise as to how to improve your security. Here is a sample screen shot from the report:

Top Risk Areas

The report also will provide you with your Top Risk Areas and include which Function, Category, and Subcategory each risk maps to in the NIST CSF. It will show you the question, your answer, the Importance and a Remediation Step to mitigate the risk. Here is a sample:

Industry Comparison

If you are curious about how you stack up against your competition, the report will also provide you a section that compares your results against other companies in your industry.

Appendix / Questions

In the final section of the report, you will have a list of all the questions, your answers, and any remediation steps that will help you improved your security for that question.

Protecting your company from cyber threats is essential. Leveraging a framework, like the NIST CSF, is a great way to ensue that you are following industry best practices and recommendations to protect from company from a cyber-attack.

Get a snapshot of the risk to your IT environment — Set up some time to speak with a CyberDefense Consultant and walk thru a personal Cybersecurity Assessment.