The new NIST list – what you need to know 

How time flies. It’s already been almost 10 years since the NIST (National Institute for Standards and Technology) Cybersecurity Framework was first rolled out to provide technical guidance for those responsible for critical infrastructure interests, including energy, banking, and public health. 

By early November, we can expect to see a sixth function officially added to the famous five functions of an effective cybersecurity program – namely: Identify, protect, detect, respond, and recover. 

And we’re glad to say that the final function is ‘govern’. 

It’s expected that the addition of the sixth function will expand the usefulness of the NIST framework to all those sectors outside of critical infrastructure and provide guidance to support their overall cybersecurity strategies.  

Celebrating the new NIST framework 

So, why does NIST 2.0 make us quietly happy? Possibly because it’s something we’ve taken to heart. 

From the Global Storage perspective, governance has long been the missing piece in the cybersecurity puzzle. Having gone through the intensive processes of earning ISO 27001 certification several years ago, it’s good to see NIST catching up with the technology partners (like us) who adopted ‘govern’ as a central premise to support and protect their customers more effectively. 

And the Australian Government obviously agrees. Its current principles of cybersecurity governance are grouped into four key activities: govern, protect, detect and respond. Govern: Identifying and managing security risks. Protect: Implementing controls to reduce security risks. Detect: Detecting and understanding cyber security events to identify cyber security incidents. Respond: Responding to and recovering from cyber security incidents. 

 In its discussion paper, “Strengthening Australia’s cybersecurity regulations and incentives,” the government is actively seeking views about how it can incentivise businesses to invest in cybersecurity, including through possible regulatory changes. The first of the proposed new policies up for discussion is governance standards for large businesses. Suggested governance approaches include alignment with international standards and frameworks (like ISO 27001 and NIST).  

Governance (and the associated reporting) is clearly a timely new focus for those non-critical infrastructure Australian businesses that haven’t yet fully developed a robust and all-encompassing cybersecurity plan. ASIC has started to actively fine businesses that fail to take remedial action after breaches – and they are unlikely to accept excuses based on size and lack of capability from the SMB sector.  

It’s been interesting for us to watch some of our larger customers, who previously aligned themselves with the ASD Essential Eight, now realigning themselves with NIST due to its depth, breadth and maturity. And we expect the addition of the ‘govern’ function to cement that move even more firmly. 

Catching the curve ball 

While we’d like to say we were ahead of the curve in becoming ISO 27001 certified, the reality is that many technology partners saw the writing on the wall. We could see that “govern” would be recognised as an important function over and above the five technical, control-based standards championed by NIST up until now – and that our commitment to going further should be sooner than later.  

What Global Storage’s ISO accreditation (and statement of applicability) means for our customers is that we keep the necessary governance records for them. So, if they are audited or even prosecuted, we can prove that the principles and controls of ‘govern’ were fully followed. In effect, they can leverage our external certification against their compliance requirements, making it easier for them to do business with confidence. And in turn, we leverage the certifications of our own ISO-accredited service providers.  

While committing to ISO 27001 five years ago was a market differentiator, it’s now a prerequisite for most partners like us. Now, from a sales perspective, it accelerates the conversations and removes roadblocks. Whereas ‘before’, our customers had no dedicated security resources, today’s organisations typically have multiple internal staff whose primary responsibility is security. But they are the lucky ones. With the huge global deficit in cybersecurity resources, they’re often lucky to be able to afford to hire and retain the people needed. All of which makes it even more important that a partner can offer the certified support needed.  

New framework, new challenges 

But going back to a cybersecurity framework that includes ‘govern’, for those already in a regulated industry (for example, health and banking), it shouldn’t pose too much of a problem – they are used to the requirement of being audited.  

In the case of non-regulated and often less mature industries, though, it will pose a challenge despite growing customer demand that they level up. For these organisations in particular, having a service provider that’s already got all those ‘govern’ boxes ready-ticked will alleviate the time, pain, and distraction of completing additional paperwork. 

As I’ve said, we’ve made a significant investment in ISO 27001, and that accreditation requires us to achieve and maintain precise standards and undergo a yearly external audit. It’s also shaped the way we run our business. We can’t afford mistakes; we put our reputation on the line daily. These days, saying “oops, sorry, my bad” isn’t good enough for us or our customers (and in our books, it never has been) – meaning we’re very prescriptive about how we run our cybersecurity functions and services.  

Feel good about the company you keep 

Like practically every company in the world, we’ve had cybercriminals trying to attack us – but every attempt has been detected, contained, and dealt with in keeping with our governance system. We’ve never had a breach. 

With NIST soon to be updated and the Australian Government looking likely to enforce governance for all organisations regardless of size, it’s critical these businesses can turn to a trusted service provider who has been there, done that – and actually lives and breathes the concept of “govern”. Only by doing that can they quickly and directly move forward and comply while reducing risk. 

So, when your performance and strategy are held up against NIST standards, ISO standards, or government governance regulations, you can be confident that you, too, are ahead of the cybercrime curve ball.