CISO NextCybersecurity

Recover: The NIST Cybersecurity Framework’s Outlier

Jack Nelson
May 6, 2021
4 min read

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has achieved broad adoption across a range of different industries. The NIST CSF, which allows organizations to evaluate their maturity against a detailed set of standards and best practices, is broken down into five core functions:

1. Identify: Does the organization know how to manage cybersecurity risk to systems, people, assets, data and capabilities?
2. Protect: Has the organization implemented safeguards to ensure delivery of critical services?
3. Detect: Does the organization undertake activities to identify the occurrence of a cybersecurity event?
4. Respond: Does the organization undertake activities to address a detected cybersecurity incident?
5. Recover: Does the organization undertake appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident?

When it comes to organizational performance across these functions, one notable outlier emerges. An analysis of over 100 NIST CSF assessments completed by Protiviti over a four-year period shows a very high level of consistency in average scores across core functions, with the notable exception of recover.

NIST Category vs. Average Organization Category Score

The above graphic shows the spread of average NIST category scores for 110 different organizations. The trend is apparent; while most companies score consistently across identify, protect, detect and respond, there is a noticeably larger spread across recover. A grouping of companies on the right end of the average category score axis has achieved the highest possible maturity score, with others inching toward it. This implies a broader range of approaches taken to address recovery-related standards and controls, with some firms performing significantly better than others in this area while maintaining homogeny in maturity across the other four functions.

Put another way, recover is the most difficult category for an organization to outperform their peers in. As organizations look for newer and more intuitive ways to rank themselves against peers using NIST maturity scores, they may consider reporting the percentile in which they sit, rather than their score versus an industry average. Using this approach, companies need to do better in recover to keep up: to score better than 90 percent of other organizations in any of the other four categories, an average score of around 2.5 would be required. To do the same in recover, an organization would need to score a full point higher at around 3.5.

What does this disparity between recover and the other four core categories mean for business leaders? For one, that companies may be further behind their peers than they realize when it comes to recovery capabilities. As the percentile example above shows, scoring in kind with, or ahead of, other organizations requires higher maturity than may be expected.

Additionally, the data suggest that a certain subset of organizations are significantly underspending and underperforming in recover. In a survey conducted by Protiviti, companies consistently estimated recover-related investments to occupy the smallest share of their budgets out of the five NIST CSF categories. Combined with the stratification seen in the average score, there is presumably a significant amount of underspend occurring at the lowest scoring companies.

Altogether, these trends imply that some organizations may be overspending on capabilities meant to reduce the likelihood of cyber events at the expense of capabilities that may minimize their impact. This trend is especially concerning given that breaches are fairly common and have remained so for several years: Twenty-five percent of Fortune 1000 companies will have a breach in a given year, according to the 2020 Cyentia study, a figure which has held firm for the past five years.

Organizations can address this issue by assessing their recovery capabilities. Given the wider spread of scores in this function, an organization may be on uncertain footing in this area, even if they are achieving average maturity marks in other categories. Understanding where an organization falls in this broad spectrum can help ensure that breaches are able to be contained and understood quickly, especially in the face of increasing ransomware and other attack varieties that may have significant business impact if not mitigated. Protiviti has developed the Guide to Business Continuity and Resilience, which examines critical concepts around business continuity and related practices. The guide serves as a comprehensive overview of where to begin to prepare for the unexpected and build resilience. Click on the IT Disaster Recovery topic to see just some of the factors we consider when working with clients to strengthen their recovery practices.

To learn more about our cybersecurity capabilities, contact us.

Jack Nelson

Manager
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s @KonstantHacker chats with guest @RichardBlech of @XsocCorp about a high-performance symmetric encryption solution that will provide in-depth defense against the threat of fault-tolerant #QuantumComputing. Listen now: https://ow.ly/9oVU50SJklj #ProtivitiTech

Reply on Twitter 1816504643360358712 Retweet on Twitter 1816504643360358712 1 Like on Twitter 1816504643360358712 1 Twitter 1816504643360358712
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s Joe Corrado will join a #Nintex panel for a July 30 webinar to discuss how document automation boosts #RevOps efficiency and sales. Register today to get access to expert tips and real-world success stories. https://ow.ly/LSsf50SJnaY #ProtivitiTech

Reply on Twitter 1816443898970898615 Retweet on Twitter 1816443898970898615 Like on Twitter 1816443898970898615 Twitter 1816443898970898615
protivititech Protiviti Technology @protivititech ·
24 Jul

The world was dealt a massive wakeup call after a #CrowdStrike software update caused global IT outages. In the aftermath, business leaders should take the opportunity to reboot tech resiliency. Learn more from the latest #VISIONbyProtiviti: In Focus: https://ow.ly/R2vU50SJrAT

Reply on Twitter 1816169832544432319 Retweet on Twitter 1816169832544432319 Like on Twitter 1816169832544432319 Twitter 1816169832544432319
protivititech Protiviti Technology @protivititech ·
24 Jul

#VISIONbyProtiviti: In Focus discusses a U.S. judge’s recent ruling that rejected #SEC oversight of #cybersecurity controls in the case against SolarWinds, the impact of the decision, and why it matters. https://ow.ly/Ph7j50SIbLH #ProtivitiTech

Reply on Twitter 1816111993767547294 Retweet on Twitter 1816111993767547294 Like on Twitter 1816111993767547294 Twitter 1816111993767547294
protivititech Protiviti Technology @protivititech ·
17 Jul

How can organizations tackle internal tech tickets when a team is remote? Protiviti’s Kim Bozzella recommends fully leveraging the features of their #IT service management software. Learn more: https://ow.ly/Yf3J50SEy7u #ProtivitiTech #Forbes

Reply on Twitter 1813635582964183412 Retweet on Twitter 1813635582964183412 Like on Twitter 1813635582964183412 Twitter 1813635582964183412
Load More