Nearly a year has passed since the release of NIST CSF 2.0, which ushered in significant updates to the framework. Notably, the updates encourage organizations to put additional focus and resources towards developing security governance, risk management, supply chain management, and evidence preservation during incident response. Now that a year has passed since the release of NIST CSF 2.0, K logix set out to explore how its customers are adapting to these changes, identifying both areas of strong alignment and opportunities for improvement. This analysis not only helps K logix refine its ability to support its customers, but also provides organizations with valuable insights into how they compare to their peers. To enhance clarity, strengths and improvement areas are grouped by NIST CSF 2.0 subcategories in this article.
Strength Areas
1. Technology Infrastructure Resilience (PR.IR)
A well-designed and secure network architecture is an important feature of any organization’s cybersecurity strategy, and this is reinforced by the NIST CSF 2.0 controls in the Technology Infrastructure Resilience subcategory. To achieve compliance, organizations are expected to implement key strategies such as network segmentation, continuous environmental monitoring, and redundancy in backup systems. Additionally, organizations should demonstrate that secure and resilient cloud architectures are in place. By complying with this subcategory, organizations are in a better position to limit the spread of security incidents, minimize downtime, protect critical assets, and maintain business continuity.
2. Roles, Responsibilities, and Authorities (GV.RR)
An organization is only as secure as the people who protect it. You’ve probably heard this phrase countless times, and while I hesitate to be yet another voice repeating it, the truth behind it remains undeniable. This fundamental principle underpins this NIST CSF category, which emphasizes that a strong security posture starts with the people behind it. The controls in this subcategory aim to ensure that employees understand the importance of security and take ownership of their role in protecting organizational assets. Compliance hinges on several key factors: leadership must take accountability for security and actively support cybersecurity initiatives, cybersecurity awareness should be deeply embedded in the organization’s culture, and sufficient resources should be allocated to maintain and strengthen security measures. Additionally, this subcategory emphasizes that cybersecurity should not exist in isolation, but be integrated across key departments, such as Human Resources. Overall, this subcategory seeks to ensure that security is not just a technological concern, but a fundamental part of the organization’s culture and operations.
3. Platform Security (PR.PS)
Every endpoint, application, and system represent a potential gateway for attackers, making platform security a critical priority. As organizations grow, so does their attack surface. K logix customers are keenly aware of this challenge and have placed it at the forefront of their security strategies. Encouragingly, this focus is driving tangible results. The Platform Security subcategory ranks as the third strongest area among our customers. This progress is largely driven by key security measures such as enforcing endpoint and cloud hardening standards, implementing effective patch management, maintaining a secure development lifecycle, and establishing a strong software management process. Additionally, deploying a SIEM tool for continuous monitoring ensures organizations can detect and respond to threats quickly. By embedding these security measures in a cybersecurity strategy, K logix customers are creating a more resilient security posture in an increasingly complex digital landscape.
Improvement Areas
1. Policy (GV.PO)
One of the biggest gaps K logix sees across its customer base is documentation. It’s often pushed to the back burner, seen as tedious, time-consuming, and lacking the immediate impact of hands-on security work. Yet strong documentation does not just tick a compliance checkbox; it’s the backbone of a resilient security program. Imagine if an employee in charge of patch management suddenly goes on emergency leave – would the rest of the team be able to step in and patch critical vulnerabilities without clear documentation? Well-maintained documentation prevents gaps in security processes, reduces human error, and ensures personnel fully understand their roles and responsibilities.
2. Asset Management (ID.AM)
Asset management can easily turn into a logistical nightmare, so it’s no surprise that many organizations struggle with it. Many companies still rely on manual asset inventories, which is an outdated approach that is time-consuming, error-prone and full of blind spots. Without strong asset management practices, organizations risk inefficiencies, lack visibility into critical assets, and open the door to potential loss or misuse. Investing in asset management tools is essential to overcoming these challenges. Automation not only streamlines the process, but also improves accuracy and efficiency, reducing the likelihood of costly mistakes. Another crucial aspect of effective asset management is maintaining data flow diagrams. These diagrams provide visibility into where critical data resides, helping organizations prioritize and secure assets strategically. By complying with NIST CSF 2.0’s asset management recommendations, businesses can turn it from a challenge into a competitive advantage.
3. Cybersecurity Supply Chain Risk Management (GV.SC)
Many of K logix customers struggle to manage third-party security due to the sheer volume of vendors in their environments, leaving critical gaps in their supply chain risk management practices. Yet, securing the supply chain has never been more important. Over the past year, we’ve seen a sharp rise in the effectiveness of supply chain attacks, with some of the most high-profile breaches and vulnerabilities of 2024 stemming from weaknesses in third-party security. To stay ahead, organizations must strengthen their supply chain risk management practices and a great place to start is by aligning with NIST CSF 2.0.
A secure third-party risk management program provides oversight of vendors from onboarding to offboarding. It begins with a thorough vetting process that communicates cybersecurity expectations and assigns a risk score based on the vendor’s security posture, operational criticality and required access. During the vendor’s tenure, regular security reviews are needed to confirm that the vendors are continuing to uphold their security requirements and adapting to emerging threats, such as AI. With the rise of generative AI, organizations should assess how their third parties are using this technology and the potential security risks it introduces. Just as crucial, a secure offboarding process ensures that access is fully revoked and sensitive data is properly managed, preventing lingering security risks.
Next Steps
This article provides valuable insight into how your organization compares to peers in terms of NIST CSF 2.0 alignment and overall cybersecurity posture. Achieving strong alignment with NIST CSF 2.0 is an ongoing process and K logix is here to help. We can assess your current compliance, identify gaps, and provide a roadmap for further alignment. Whether you need a risk assessment or support in any of the areas mentioned above, the K logix team is ready to assist. For more information, contact one of our experts at info@klogixsecurity.com.
Subscribe
Stay up to date with cyber security trends and more