NIST issues cybersecurity guidance for C-suite

The National Institute of Standards and Technology (NIST) has issued draft guidance aimed at assisting organizations in crafting a robust and resilient cybersecurity strategy. The draft guidance is the second installment of a two-volume document, NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, made for C-suite executives looking to create practical and measurable cybersecurity improvements. 

The guidance is designed to help organizations align their cybersecurity measures with their overall performance objectives, offering a structured approach to maintaining digital security. 

“Everyone manages risk, but many organizations tend to use qualitative descriptions of their risk level, using ideas like stoplight colors or five-point scales,” said NIST’s Katherine Schroeder, one of the publication’s authors, in a statement. “Our goal is to help people communicate with data instead of vague concepts.”

The cybersecurity guidance is intended to complement NIST’s existing risk management resources, such as the Cybersecurity Framework and Risk Management Framework. 

The framework is specifically designed to allow organizations to customize it according to their unique requirements. The flexibility it offers is one of the most important elements of the guidance, according to Katherine Schroeder, one of the guide’s authors. 

“We want people to be able to figure out the process of what to measure. You don’t necessarily need to crunch every number,” Schroeder said. “For example, you might want to figure out whether your organization is responding to incidents appropriately, and you might consider factors such as your response time and impact to the mission or business such as additional staff hours, resources needed, or impact to the bottom line. Then you can present that information in a way that makes sense, even if you’re not a statistician — so that you can figure out how to do better.”

The guide outlines a series of steps that organizations can follow to establish a cybersecurity measurement program, complete with a detailed, multi-step workflow for its implementation over time. By centering on the capability to implement measurable enhancements in cybersecurity, NIST believes the cybersecurity guidance will help improve security and optimize resource allocation.

“When technical teams communicate with management about information security, metrics provide a common language, using trends and numbers to bridge gaps in understanding,” the authors write. “Organizations want to be able to assess if controls, policies, and procedures are working effectively, efficiently, and how the organization is impacted. Metrics can be used to help prioritize areas for growth, improvement, or re-focusing resources.”  

NIST is calling for public comments on this draft by March 18, 2024.