Recover: The NIST Cybersecurity Framework’s Outlier

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has achieved broad adoption across a range of different industries. The NIST CSF, which allows organizations to evaluate their maturity against a detailed set of standards and best practices, is broken down into five core functions:

1. Identify: Does the organization know how to manage cybersecurity risk to systems, people, assets, data and capabilities?
2. Protect: Has the organization implemented safeguards to ensure delivery of critical services?
3. Detect: Does the organization undertake activities to identify the occurrence of a cybersecurity event?
4. Respond: Does the organization undertake activities to address a detected cybersecurity incident?
5. Recover: Does the organization undertake appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident?

When it comes to organizational performance across these functions, one notable outlier emerges. An analysis of over 100 NIST CSF assessments completed by Protiviti over a four-year period shows a very high level of consistency in average scores across core functions, with the notable exception of recover.

NIST Category vs. Average Organization Category Score

The above graphic shows the spread of average NIST category scores for 110 different organizations. The trend is apparent; while most companies score consistently across identify, protect, detect and respond, there is a noticeably larger spread across recover. A grouping of companies on the right end of the average category score axis has achieved the highest possible maturity score, with others inching toward it. This implies a broader range of approaches taken to address recovery-related standards and controls, with some firms performing significantly better than others in this area while maintaining homogeny in maturity across the other four functions.

Put another way, recover is the most difficult category for an organization to outperform their peers in. As organizations look for newer and more intuitive ways to rank themselves against peers using NIST maturity scores, they may consider reporting the percentile in which they sit, rather than their score versus an industry average. Using this approach, companies need to do better in recover to keep up: to score better than 90 percent of other organizations in any of the other four categories, an average score of around 2.5 would be required. To do the same in recover, an organization would need to score a full point higher at around 3.5.

What does this disparity between recover and the other four core categories mean for business leaders? For one, that companies may be further behind their peers than they realize when it comes to recovery capabilities. As the percentile example above shows, scoring in kind with, or ahead of, other organizations requires higher maturity than may be expected.

Additionally, the data suggest that a certain subset of organizations are significantly underspending and underperforming in recover. In a survey conducted by Protiviti, companies consistently estimated recover-related investments to occupy the smallest share of their budgets out of the five NIST CSF categories. Combined with the stratification seen in the average score, there is presumably a significant amount of underspend occurring at the lowest scoring companies.

Altogether, these trends imply that some organizations may be overspending on capabilities meant to reduce the likelihood of cyber events at the expense of capabilities that may minimize their impact. This trend is especially concerning given that breaches are fairly common and have remained so for several years: Twenty-five percent of Fortune 1000 companies will have a breach in a given year, according to the 2020 Cyentia study, a figure which has held firm for the past five years.

Organizations can address this issue by assessing their recovery capabilities. Given the wider spread of scores in this function, an organization may be on uncertain footing in this area, even if they are achieving average maturity marks in other categories. Understanding where an organization falls in this broad spectrum can help ensure that breaches are able to be contained and understood quickly, especially in the face of increasing ransomware and other attack varieties that may have significant business impact if not mitigated. Protiviti has developed the Guide to Business Continuity and Resilience, which examines critical concepts around business continuity and related practices. The guide serves as a comprehensive overview of where to begin to prepare for the unexpected and build resilience. Click on the IT Disaster Recovery topic to see just some of the factors we consider when working with clients to strengthen their recovery practices.

To learn more about our cybersecurity capabilities, contact us.

Jack Nelson

Manager
Security and Privacy

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More