The NIST CSF Adds Governance!

One of the reasons we founded Pythia Cyber was to provide cybersecurity (C/S) that included the behavioral aspects of C/S. All of our founders were all to aware that human behavior plays a large role in how well C/S works, but so rarely saw that reality reflected in how C/S is rolled out in the real world.

At long last, the Cybersecurity Framework from the National Institute of Standards & Technology has been expanded to include at least some of this under "Govern."

Govern function joins the familiar five pillars of Identify, Protect, Detect, Respond & Recover.

This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well.

We hope that this official recognition of this concept will help move the needle on the tendency of CEOs and other senior management to lob C/S over the wall into the IT department. We don't expect the C-Suite to start working the front lines in the fight against ransomware or in the never-ending quest to preserve data, but we do expect the C-Suite to do their part:

• Set the priorities about which cyber assets to protect
• Review evidence that the protections are effective
• Keep an eye on the cost-effectiveness of the protections
• Revisit the priorities regularly and as needed

It is gratifying to be on the cutting edge of something, but since this is C/S, we can only pause briefly to congratulate ourselves before we must return to never-ending battle to keep critical systems running without interruption, to keep critical data safe from unauthorized access but available to authorized users.