When it comes to protecting your nonprofit’s valuable data, cybersecurity best practices are key. But for most nonprofit and mission-based organizations, the go-to options for improving any aspect of cybersecurity aren’t always nonprofit-specific. The process usually involves the use of general guidebooks written by well-meaning third-party organizations, conducting broad and generalized training, or applying the products developed for the for-profit economy.
These solutions might be helpful if you knew what cybersecurity solutions you need, or—better yet—how your business operations measure cybersecurity best practices. But what if you don’t see what you needed? What if a board member comes to you and says, “What are our policies and procedures around information security?” What if your organization has recently been compromised, and you are in a frenzy to understand what has been affected?
Here’s where you can start.
A New Approach to Nonprofit Cybersecurity
Imagine if you had a clear view of how your organization measures against information and cybersecurity best practices. Better yet, imagine if securing the information in your organization was standard operating procedure and not a unique project. At Sightline, we believe that these and other imagined states of cybersecurity preparedness can be a reality.
In the third of our three-part blog series, we will look at one of the most respected and used standards in cybersecurity: the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Together, we will walk through unpacking the cybersecurity noise to get to what you need to do for your organization. As we’ve mentioned in previous blogs and webinars, a lot can be accomplished when taking a different approach. We find that focusing cybersecurity best practices within the frame of business operations works—particularly if that frame is in how nonprofit and mission-based organizations operate. This view of security frameworks can dramatically improve preparedness while removing the fear, uncertainty, and doubt many organizations experience when looking at cybersecurity.
Cybersecurity Best Practices: What is the NIST CSF?
The Cybersecurity Framework (CSF) created and maintained by the National Institute for Standards and Technology (NIST) is considered one of the most respected and used guides for general audiences to improve cybersecurity. But even the NIST CSF has its challenges as it’s written in language that evokes those feelings of confusion and overwhelm. The original framework was created in 2013 through a convening of NIST, private- and public-sector organizations, and individual subject matter experts. To be more specific:
“Published in 2014 and revised during 2017 and 2018, this Framework for Improving Critical Infrastructure Cybersecurity has relied upon eight public workshops, multiple Requests for Comment or Request for Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world.”
Organized in a hierarchy of controls, the NIST CSF offers a viable first step for organizations of all sizes to begin to assess their cyber and information security readiness. Additionally, controls are mapped against other frameworks (such as NIST 800-51, NIST-171, ISO27000, COBIT5), making it easier to overlap groups if needed. The framework is organized into five functions with categories and subcategories under each at the highest level: Identify, Detect, Protect, Respond, and Recover. They are intended to be followed as a linear path.
Understanding this is important for an organization to use the NIST CSF efficiently. At Sightline, we have identified trends that not every nonprofit or mission-based organization needs to measure themselves against. Based on a nonprofit’s mission, we assist them in identifying the functions and categories of the framework that provide them the most value.
Breaking Down the Complexities
Ideally, the CSF is an excellent and necessary tool for nonprofits to evaluate their cybersecurity preparedness. However, while there is an intention to use everyday language, it lacks the business-focused lexicon and semantics in simple terms that most nonprofits can use. The language used to describe activities in the CSF shared between the two sectors is decidedly worded to favor those working in a for-profit environment, even though the interest activities are shared between the two industries.
Here’s a quick look at the approach we take to address the complexities in the NIST CSF.
- Create a Friendly Description– We start by imagining standing in line at a coffee shop and need to tell someone in a few minutes what the control is—using everyday language without “dumbing” it down.
- Identify What Success Looks Like – What does the nonprofit organization need to show or do to complete that control? In simple terms, what does success look like?
- Build a Question or Two or Three – Only when Step 1 and Step 2 are done do we create questions; also, we realize that most subcategories require more than one question.
- Understand What Comes First – As a final step, understanding how the completion of a certain subcategory impacts other subcategories is key. In other words, if you can’t complete a specific question, you might not have what’s necessary to complete follow-up questions.
Blazing a New Trail with Cybersecurity Best Practices
Securing your most valuable data isn’t only about mitigating financial and reputational risks. It’s also about protecting the trust your organization holds by the people and communities you serve. A cybersecurity incident of any size will affect your organization financially, reputationally, and even emotionally. We believe that based on extensive interactions, research, and communications with nonprofits and cybersecurity professionals, the use of the CSF in any sector or community is feasible. We also recognize that the approach we are taking to unpack the CSF and reframe it for the nonprofit sector is like blazing a new trail. It’s a trail that requires patience, persistence, and continuous learning, but the final destination is worth it.
If you are curious to learn more about our approach, Sightline Security partnered with Nonprofit Hub & Do More Good on a three-part webinar series on cybersecurity. You can reach out to [email protected] to receive the on-demand recordings of these sessions.
*This spotlighted blog post is courtesy of Sightline Security
Originally published on 09/07/2021 / Republished on 11/12/2021