← Back to blog
Security in six: NIST 2.0

Security in six: NIST 2.0

12 July 2024 securitycompliancegovernancepublished

This article was originally published in Governance and Compliance Magazine in July 2024.

Since NIST introduced the Cybersecurity Framework in 2014, it has shaped how organisations think about security risk. The original version pushed businesses away from a purely defensive stance toward a risk-centric approach. But a decade later, the world looks different. Information security now permeates a much broader set of industries, digital footprints have expanded, and the threat landscape has evolved well beyond what the original framework was designed for.

Version 2.0, released in February 2024, addresses this by reorganising the framework into six core functions:

  1. Govern - establish, monitor, and communicate your cybersecurity risk management strategy and policies
  2. Identify - outline and understand current cybersecurity risks facing the business
  3. Protect - use safeguards to prevent or reduce those risks
  4. Detect - find and analyse possible attacks and compromises
  5. Respond - take action against a detected incident
  6. Recover - restore assets and operations impacted by an incident

The addition of Govern as the first function is the most significant change. It acknowledges that cybersecurity is not an IT problem. It is an enterprise risk that requires governance structures, defined roles and responsibilities, and strategic oversight from the top of the organisation.

Without governance, security decisions risk being misaligned or driven by individual preferences, resulting in suboptimal choices with cascading consequences. Governance frameworks define ownership and accountability, facilitate operational due diligence, and ensure that cybersecurity is a primary strategic consideration throughout the business.

The updated framework also emphasises flexibility. Rather than prescribing specific solutions, NIST 2.0 provides high-level outcomes that organisations can map to their own context, risk appetite, and maturity level. The message to security practitioners is clear: customise your approach to your situation rather than adopting a one-size-fits-all model.

For organisations that have not previously engaged with NIST, version 2.0 is a practical starting point. For those already using the framework, the addition of Govern and the focus on interconnectivity and supply chain risk bring the guidance in line with how modern businesses actually operate.

Read the full article in Governance and Compliance Magazine →

found this useful
← All posts