It’s late in the day, and the Chief Information Security Officer walks over to you. She asks you a single question: “How do you think about cybersecurity?”

The question catches you by surprise. How do I think about cybersecurity?

So many things run through your mind at once: Do I think about it in terms of the vast numbers of security products on the market? In terms of the sheer complexity of the cybersecurity challenge and how hard it is to defend against today’s sophisticated attackers? And what about all of the various analyst viewpoints?

Somehow you answer her question, but you’re not really satisfied with what you said. To you, it sounded disorganized and, well, basically all over the place. She considers your answer for a moment, glances away, and then continues silently to her office. You’re left to wonder what she thought of your answer.

Managing cybersecurity risks against today’s advanced threats is a challenge for the largest government organization down to the smallest school district. There’s certainly no 30-second answer. It’s a complex subject with so much to consider. Many professionals are left to wonder: Where do we start?

This is a key reason why I’m so passionate about the latest best practices publication from the National Institute of Standards and Technology (NIST). They have deep cybersecurity expertise and published comprehensive guidelines on pretty much everything from system classification, security control selection, implementation, assessment, authorization, and continuous monitoring. NIST makes everything freely available on its Computer Security Resource Center site (csrc.nist.gov).

Managing cybersecurity risks against today’s advanced threats is a challenge for the largest government organization down to the smallest school district.

The NIST Cybersecurity Framework is their latest best practices publication. It’s perhaps the simplest and most straightforward approach toward managing cybersecurity risks that I’ve ever seen. It’s the result of NIST’s extensive work with both public and private sector to determine which security controls are the most effective today, and outlines a process that helps you laser-focus on those controls that will have the most impact in your organization.

Another great part? The clear terminology they use to communicate the framework. Everything boils down to one of five core functions: Identify, Protect, Detect, Respond, and Recover. Firewalls? Think the Protect function. Intrusion Prevention Systems? Think the Detect function. Computer Forensics? Think the Respond function. You get the gist. Everything in cybersecurity — people, process, and technology — can be categorized in this way.

So let’s wind back the clock a moment and answer your CISO a different way: “I think about cybersecurity in terms of the NIST Cybersecurity Framework’s core functions: The cybersecurity controls that enable our organization to Identify, Protect, Detect, Respond and Recover – efficiently and effectively managing cybersecurity risk.”

Want to learn more? We’ve included a session at Cisco Security Week on the NIST Cybersecurity Framework so that your organization can learn and apply it today. And there’s more! At Cisco Security Week, you can also expect to:

  • Learn about Cisco’s security strategy, and how our advanced solutions protect your organization and manage cybersecurity risks
  • Hear about the latest cybersecurity threats from Cisco Talos Security Intelligence and Research Group, and how their industry-leading threat intelligence helps secure your organization
  • Connect and engage with industry visionaries, peers, as well as Cisco’s security leaders and solution experts

Register here and join us at the next Cisco Security Week in your area!


Steve Caimi

Industry Solutions Specialist

US Public Sector Cybersecurity