Our approach to applying the updates that bolster your cyber resilience
In our digital age, keeping our systems safe is key to ensuring public safety and the smooth running of our society. Recent cyberattacks by groups like Volt Typhoon, backed by China, have shown how these attacks can have widespread effect—especially on organizations that maintain critical infrastructure, house sensitive data, or provide critical services. These attacks, along with a 50% increase in ransomware attacks in the industrial sector in 2023, stress the need for strong cybersecurity measures.
The National Institute of Standards and Technology (NIST) made significant updates to its Cybersecurity Framework (CSF) on February 26, 2024. These changes, especially in governance and supply chain security, are big steps forward from the 2018 version. They tackle long-standing issues by promoting better decision-making, clear communication, and proactive risk management.
There were two notable changes in the NIST CSF 2.0:
West Monroe has consistently applied the NIST framework as a pillar of our approach, integrating governance into our engagements since 2015. Utilizing the framework, we objectively measure risk, identify improvement opportunities, and track our clients’ progress toward achieving their security goals year over year. From our point of view, traditional industries grapple with governance challenges, insufficient investment, stakeholder fragmentation, and siloed operations. With our deep engagement across traditional sectors, the timing of the NIST 2.0 update couldn’t be more crucial. We’re at the forefront, leveraging NIST to address the unique challenges traditional industries face.
Today's businesses are navigating a rapidly changing digital landscape, where advancements like artificial intelligence in threat detection and the increasing use of real-time data demand a strong approach to managing risks. It's essential for companies to build a culture and strategy around security governance that aligns with their business goals, regulatory needs, and risk tolerance. Investing early in a comprehensive security governance program pays off by making responses more effective and aligned with the company's objectives.
Governance is crucial for security teams, especially when they're responsible for assets they don't fully control. A governance model that promotes shared responsibility across the organization is necessary to maintain an appropriate level of security. This model goes beyond just day-to-day operations, involving leadership, policies, and oversight to ensure that cybersecurity efforts are unified and integrated at every level.
In today's interconnected business environment, managing the security of the supply chain is crucial. This involves overseeing a network of third-party providers of software, hardware, and services that are vital to operations. Recognizing the risks these external parties can introduce, it's important to have a strategy that ensures the safety, privacy, and availability of critical services and infrastructure. At West Monroe, we're committed to leading the way in supply chain security, guided by several key principles:
Challenges and updates for utilities
The updates in NIST CSF 2.0 are particularly important for utility companies due to their reliance on international components and diverse supplier networks. This creates vulnerabilities, as seen with the Log4j exploit. Managing these risks requires continuous monitoring of suppliers, verifying their security measures, and understanding the supply chain through Software and Hardware Bill of Materials.
Additional benefits for utilities
The NIST CSF helps utility companies not only meet but exceed regulatory requirements, like those from the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). It offers a thorough approach to cybersecurity, identifying and mitigating risks beyond standard compliance. This is crucial for areas like the IT environment, which is a common entry point for security breaches.
By tracking cybersecurity performance metrics, utilities can manage their security strategies more effectively, identifying strengths and vulnerabilities. This data-driven approach helps in making informed decisions on resource allocation, adapting to evolving threats, and continuously improving cybersecurity posture.
Challenges and updates for healthcare
The adoption of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is particularly significant for healthcare organizations, given their unique vulnerabilities and the critical nature of their services. Healthcare companies manage a vast amount of sensitive patient data, making them prime targets for cyberattacks. These attacks can lead to significant data breaches, compromising patient privacy, and interrupting critical healthcare services.
Healthcare organizations are increasingly adopting the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to navigate their unique cybersecurity challenges. A recent report by KLAS and the American Hospital Association reveals that 71% of healthcare organizations deploy the NIST CSF, with 57% citing it as their primary cybersecurity framework. This adoption is critical for protecting sensitive patient data and ensuring the uninterrupted delivery of healthcare services.
Proactive risk management
Healthcare organizations face specific challenges such as the need to protect patient information while ensuring uninterrupted access to critical health services. The NIST CSF 2.0's emphasis on governance and supply chain security is crucial for these organizations. It helps them address the complex cybersecurity threats arising from the increasing use of digital health technologies such as electronic health records (EHRs), telemedicine, and mobile health applications. These technologies, while beneficial, introduce new vulnerabilities and potential entry points for cyber-attacks.
The adoption of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is particularly significant for the manufacturing sector, which faces unique cybersecurity challenges due to the increasing integration of digital technologies and the Internet of Things (IoT) in production processes. Manufacturers are at risk of cyber-attacks that can disrupt operations, compromise intellectual property, and affect the supply chain. The NIST CSF 2.0 offers a comprehensive approach to managing these risks, emphasizing the importance of governance and supply chain security.
Implementing the NIST CSF 2.0 enables manufacturers to better protect their digital and physical assets. The framework's focus on supply chain security is crucial for manufacturers who rely on a complex network of suppliers and partners. By following the NIST CSF 2.0, manufacturers can improve their cybersecurity posture, ensuring the integrity, confidentiality, and availability of their systems and data. This not only helps in safeguarding against cyber threats but also supports regulatory compliance and builds trust with customers and partners.
The NIST Cybersecurity Framework 2.0 represents a pivotal advancement in the collective effort to fortify cyber resilience across industries. By introducing the Govern function and placing a renewed emphasis on supply chain risk management, this updated framework addresses critical vulnerabilities and aligns cybersecurity practices with the strategic objectives of organizations. West Monroe's proactive adoption and integration of these guidelines underscore the importance of governance and a security-first culture in navigating the complexities of today's digital landscape.
As businesses continue to evolve amid a backdrop of increasing cyber threats, the principles laid out in the NIST CSF 2.0 offer a comprehensive roadmap for enhancing security postures, fostering stakeholder engagement, and ensuring the continuous improvement of cybersecurity measures. Embracing these guidelines not only mitigates risks but also positions organizations to thrive in an era where digital resilience is synonymous with business success.