Empowering Cybersecurity Leadership: NIST CSF 2.0 Introduces ‘Govern’ to Transform CISO Roles in 2024 

Given the updated release of NIST CSF 2.0, now security managers must not only detect, protect, respond and recover; they also have to manage.

Most of the CISO’s C-Suite partners are already managing with a proprietary management platform, while the CISO’s team is still struggling with fragmented data, spreadsheets, and perhaps consulting firms creating more spreadsheets.

Things have changed, think about governance in 2014 and now in 2024. Previously, the CISO had to check the box for functionality checks. Today, effective management means understanding how well controls are routinely implemented and maintained. This means that cyber security will take a big step forward, and information security managers will have a completely new way of doing their work.
How is this reflected in practice?

Up until now, it’s been like gathering all the tools and materials for building a house but never actually taking control of the construction. The materials were stored in the shed, some used, some not, some unnecessary, some deteriorating, with no oversight on what was required, how they were ultimately used, or if the house, in the end, was sturdy or not.

In terms of security, this means that the CISO’s office obtains all the necessary controls, such as endpoint security tools or code protection, but security managers do not have the ability to understand if they are implemented and how well they are working. That’s because today’s security teams often don’t know how to enforce their policies. They have no way of measuring is they are deployed or not, how fast they are running and if critical incidents are being solved.

The ability of the CISO, or Chief Information Security Officer, to monitor, manage and measure their activities is of increasing interest and interest. Finally, the industry recognizes that CISOs lack the tools to manage their work.

There are many drivers for this, starting with the complexity of their functions. Any company that needs to be compatible with SoC2/type will likely manage at least 15 different security tools. When it comes to large enterprises, the stack can cover more than 100 tools. Even mid-sized companies that may have gone through the MandA process likely have a few dozen separate tools.

And finally, new technologies related to aggregating information security information for management purposes pave the way to information-based understanding and therefore information-based security management.

The new management function in NIST CSF 2.0 will further advance the new data security management, which includes several important and practical changes: 

 

Transparency in tool usage – while an operations manager or analyst looks inside, security managers present himself with several different questions. For example: How well are our newly acquired tools being used, or which business unit needs my help to better implement new controls?  

Interdisciplinary Perspective – Today, the CISO’s office oversees 10-14 different security programs, each with very unique languages, features, and metrics driven by SMBs. The CISO’s office must use simple and clear language, metrics and practices that are tool-agnostic, easy to understand, and provide a clear view of the actions required if security policies are not met.  

ROI – With the current budget cuts and recession, boards are asking more and more questions about making meaningful investments in the security industry. Most ordinary people do not understand the nuances of dozens of security tools. In this case, the CISO’s office needs to come up with a simple way to turn the complex stack around for the whiteboard and reflect the vulnerabilities in a way that helps the board understand why there is still a need for investment after last quarter’s budget increase.  

Policy Implementation – It’s one thing to work hard to improve performance, but another to even be aware of how the policies set by the CISO are evolving. A simple and constant view of this is the first step to much stronger control. 

 

In summary, the official inclusion of “govern” in the NIST framework presents an excellent opportunity for CISO offices to enhance their leadership approaches.