• United States




Achieving long-term resilience with NIST’s Cybersecurity Framework

Sep 19, 20174 mins
Data and Information SecurityNetwork SecurityTechnology Industry

The need for continuous monitoring, effective metrics and skilled workers.

veterans fill cybersecurity gap2
Credit: Thinkstock

The laudable aim of the National Institute of Standards and Technology (NIST) is to build a common language through a set of best practices and security principles that any organization can apply to combat cybercrime. We’ve looked at what NIST’s Cybersecurity Framework can do for you. We’ve also drilled a little deeper to reveal the importance of solid analysis in assessing your risk and requirements to ensure that you built it right first time.

A solid foundation is a great start, but you also need to implement continuous monitoring and find a way to measure how successful your efforts have been. Because security is a race, rather than a destination, it’s vital to keep identifying gaps, making improvements, and validating your activities. To do that, you’ll need the right attitude and the right talent.

Change is constant

Cybercriminals and would-be hackers are constantly developing new techniques and uncovering fresh vulnerabilities, so defenses must be monitored and updated continually. While the Cybersecurity Framework offered up is a great starting point, with lots of useful advice, it’s not easy to assess how effective it has been within organizations.

That’s the main reason why, at the beginning of the year, the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017 was passed into law. It’s an attempt to ensure that progress is measured, but establishing metrics to measure the effectiveness of security policies is a tricky business. Different organizations have different priorities.

The framework provides a skeleton that you can flesh out with your own organization’s requirements, and the metrics you adopt to measure the efficacy of your efforts are no different. If you don’t take the time to build a solid set of metrics, then you really don’t know if your efforts are paying off.

Later this year, there will also be a major revision to the document, which is available in draft form right now. Collaborators have been working to integrate privacy and cyber controls and align them with NIST’s cybersecurity framework recommendations. You can currently review and comment on this document, ahead of a final draft at the end of the year.

A very large skills gap

One of the biggest challenges facing any organization that’s trying to put NIST’s cybersecurity framework into practice is the lack of workers with the right skillset. Take a look at the interactive map at for an overview of the problem. There were 112,000 InfoSec analyst job openings last year in the United States, but only 96,870 workers to go around.

Another 200,000 openings requested cybersecurity-related skills. Cloud security skills were apparently the hardest to find, with jobs remaining open an average of 96 days. This worrying shortfall has prompted the creation of the National Initiative for Cybersecurity Education (NICE). Just as the cybersecurity framework creates a common language for discussing security issues and best practices, NICE aims to help you assess workforce skills and identify certification and training requirements.

Many organizations struggle to find people who possess the right knowledge, skills and abilities, and worse, they often can’t fully articulate precisely what they need. This is one of the reasons that a virtual CISO can be a real boon for an organization trying to get its cybersecurity polices on track and recruit an effective team.

Security for all

Because the cybersecurity space is developing so quickly, it’s understandable that some of the risks caught some organizations unawares. But ignorance can no longer be used as an excuse. Data breaches and other cybersecurity incidents can often now result in regulatory fines and serious reputational damage.

While there seems to be a general acceptance about the level of threat, we are still not seeing the positive action required to nullify it. Verizon’s 2017 Data Breach Investigations Report found that 88% of breaches still fall into one of the nine patterns it identified back in 2014. The difficulty organizations are having is in validating implementation and building resilience.

The fact that NIST is working hard with the wider community to pool resources and knowledge is very encouraging. The importance of this endeavor comes into sharp relief when you consider the bi-partisan cooperation in a generally combative political climate. The government and wider cybersecurity community are committed to effecting real change and tightening our collective defenses, but we all need to pitch in.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.