NIST Cybersecurity Framework Adoption on the Rise

Security is top of mind for every organization, and in today’s complex IT environment, it can be a challenge for CISOs to ensure their security programs are performing efficiently and effectively. Over the years numerous security frameworks, guidelines and regulations have been created to help organizations stay on track. This week Tenable Network Security released results from the Trends in Security Framework Adoption Survey to better understand adoption patterns for widely used security frameworks, based on research conducted by Dimensional Research of more than 300 IT and security professionals in the U.S.

Overwhelming adoption rates

84% of organizations across a wide range of sizes and industries already leverage some type of security framework

The survey reveals that 84% of organizations across a wide range of sizes and industries already leverage some type of security framework. The most widely used frameworks include the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), Payment Card Industry Data Security Council Standard (PCI DSS), Center for Internet Security Critical Security Controls (CIS) and the ISO/IEC 27001/27002 (ISO).

The industries most reliant on security frameworks include Banking and Finance with 88% adopting at least one framework, Information Technology (87%), Government (86%) and Manufacturing (83%). Only 77% of Education and 61% of Healthcare respondents report having a security framework in place. Results also show that 44% of organizations use more than one security framework.

NIST CSF emerging as best practice

Following a security framework engenders confidence in an organization’s security posture. According to the survey results, 29% of organizations leverage the NIST Cybersecurity Framework (CSF) and overall security confidence is higher for those using this framework. Additionally, more than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice. It’s also the most likely security framework to be adopted by organizations over the next year.

More than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice

Industries already using the NIST CSF are the Government (14%) and Banking and Finance (18%). Even though NIST CSF consists of standards, guidelines, and practices designed to promote the protection of critical infrastructure, it has emerged as one of the most thorough and reliable cybersecurity frameworks available to organizations of all types and sizes.

While the survey indicates larger organizations (5,000 employees or more) are more likely to adopt the NIST CSF (37%), 17% of smaller organizations surveyed (100 to 1,000 employees) also rely on this framework to maintain their security posture. Larger organizations may be more likely to have a security framework in place if they have more staff and a bigger budget to secure a larger network.

Adoption barriers

Despite the overwhelmingly positive feedback on the NIST Cybersecurity Framework, there are still barriers standing in the way of its full adoption. Organizations that have already adopted the NIST CSF cite a lack of regulatory requirements and a perceived large investment as obstacles preventing them from implementing all of the recommended controls.

Regulatory requirements and a perceived large investment are obstacles preventing implementation of all the CSF recommended controls

In fact, 64% of respondents from organizations currently using the NIST CSF implement some of the NIST recommended controls, but not all of them. Similarly, 83% of organizations that plan to adopt the NIST CSF in the next year report they will adopt some, but not all of the CSF controls. This is potentially unsettling; if organizations only conform to some suggested security controls, that could leave them vulnerable to gaps in network protection, inviting compromise and breaches. Comprehensive security is the best way to ensure CISOs won’t be left in the dark.

A Tenable solution

Tenable makes it easier for businesses and government organizations to adopt and benefit from the NIST Cybersecurity Framework. We recently introduced the industry’s first and only solution for automating the assessment of more than 90% of the NIST CSF technical controls. Using the NIST Cybersecurity Framework dashboards and reports built into SecurityCenter Continuous View™, you can rapidly evaluate, measure and report on conformance with the framework. Tenable also enables effective communication of the NIST CSF technical controls in business language that executives and boards of directors can understand, using built-in Assurance Report cards (ARCs).

More information

Want to know more? Check out these resources:

• Tune in for Tenable’s Automate Simplify and Communicate NIST CSF Conformance webinar at 2 p.m. ET on April 8, 2016 to further explore the automation and measurement capabilities of Tenable’s NIST Cybersecurity Framework dashboards.
• View the Trends in Security Framework Adoption Survey executive summary to learn more about which framework is the best for for your organization’s security needs.
• Read Tenable’s NIST Cybersecurity Framework Solution Story to learn how Tenable’s CSF solution can help you conform to NIST best practices.