NIST CSF: Protect: Potayto Potahto

The Protect phase of a NIST CSF-based Cyber Security program is about implementing your risk management policy for whatever your Identify phase identified. In practice, this means moving from policy to procedure, from the abstract to the concrete. Along the way, you have to take into account that Cyber Security is about how the members of your organization do things more than what the members of your organization do.

Let's work through a simple example: you identify your network infrastructure (routers, bridges, hubs, switches, all those small boxes with the blinking lights and network cables or WiFi antennae) as a critical asset to protect. Simple enough. But how do you protect those easy-to-ignore boxes in their closets and other out-of-sight locations? One way to protect them is to make sure that their firmware is up-to-date.

That is a reasonable policy, so what is the procedure? You could have whoever maintains your network infrastructure make a shared spreadsheet of each of these pieces of hardware, noting their date of deployment, their make and model, and the last time the firmware was updated. This is the link between the managers and the worker bees, so this is important.

By itself, this spreadsheet is not much use, but if your procedure is to have someone check for updates to these devices (God willing there are ways to sign up for notification for most or all of your devices) on a regular basis: weekly? Monthly? Quarterly? As frequently as is practical is our advice.

Whenever there is an update, you use your update policy (always wait for some time to ensure the validity of the update? always take the update as soon as possible? wait on performance updates but immediately take security updates? Up to you.) to decide if and when to apply the update. Update firmware as dictated by policy, update spreadsheet to record firmware updating.

Now you have the makings of a useful protection: the people doing the work know what they are supposed to do. The people managing those doing the work have a quick and clear way to see if the work is being done. The only remaining piece is to update job descriptions to that the work gets done and the doing gets checked. This doing is the Protect phase and the checking is the Detect phase.

Ta da! NIST CSF-inspired Cyber Security has been achieved. Even though no one was hired as a Cyber Security Defender and no one was given a new job: the network infrastructure maintainer is still maintaining network infrastructure and their manager is still managing.

This is because sometimes Cyber Security is about how you do your job, not what you do in your job. System Administration plays a huge part in a Cyber Security program; it would make no sense to duplicate these functions, once for Operations and once for Cyber Security. Same people, same basic tasks, better logging and more formal execution.

This overlap is a large part of why our behavioral expert likes to say "good CISOs have narrow authority but wide influence." CISOs often have to change the how, not the what which requires changing the why.