• United States




Adopt the NIST cybersecurity framework (CSF) and harness the wisdom of crowds

May 02, 20185 mins
Data and Information SecurityNetwork SecurityTechnology Industry

The NIST CSF crowd-sourcing methodology is exactly what makes it so robust. It draws from every angle the priorities and use cases of its creators, resulting in a framework that adds depth and breadth to your organization, while being flexible enough to accommodate companies of any scale.

login credential - user name, password - administrative controls - access control - single sign-on
Credit: Thinkstock

The risks that come with cybersecurity can be overwhelming to many organizations. Building out a robust cybersecurity program is often complex and difficult to strategize for any organization, regardless of size. Frameworks are not a new concept to cybersecurity professionals. The benefits are immense – nor do they need to be complex to be effective. In this article, I will discuss some of the historical and conceptual links to our modern-day frameworks such as the NIST CSF.

One property that comes to mind is often the collaborative nature that goes into the development of a framework. In the early 1900s statistician Francis Galton made a breakthrough observation at a country fair in which he discovered that a crowd of nearly eight hundred laypeople guessing the weight of an ox, when averaged was within a few pounds of the actual weight. Experts however were much further off in guessing the weight of the same ox. How could such a phenomenon be possible?

The power of collaboration

Having thousands of contributors (over 3,000) with independence and the framework being drawn from a decentralized sample of the population making unique contributions to it (industry professionals and cybersecurity experts), the framework’s collaborative beginnings may account for some of the value provided by it. As someone who attended and contributed myself, I can say that the team around the framework and the National Institute of Standards and Technology have more than just the baseline clout that you would hope for in a recognized group. Not to mention that version 1.1 that came out just recently, and the revisions are comprehensive.

Although I spent years consulting, when I took the role as the global CSO at Schneider Electric, I realized that rather than relying on the opinions or guidance of a small group of consultants – who would have similar corporate training and culture as my team. To “determine” the optimal set of cybersecurity controls for an organization, the wisdom of this larger crowd which pulls from different industries and organization structures and includes high-powered cybersecurity professionals who produced the NIST Cybersecurity Framework – wins over the small group of “experts.”

Trading in large consulting groups for recognized frameworks

In my experience, “proprietary frameworks” promulgated by even the most top-tier and renowned consulting firms tended to be myopic and often lacked real value. On occasion a homegrown framework had some value, but that was usually because it was a refactored version of a crowd based source like or ISO/IEC security frameworks. The NIST Framework may have inherited some of the crowd wisdom properties, greatly improving the overall value of adoption. I hosted a webinar on the NIST Framework as it’s the foundation of the CyberStrong Platform. In my career I’ve experienced the convergence of frameworks and standards, and the need for a universal language. If your organization implements a recognized standard to operate by, it will be a great benefit and a guide to you as you scale your program.

Look to well-known frameworks such as the ISO/IEC series, NIST 800-53, and the NIST Cybersecurity Framework to pull from to align with a nationally or internationally recognized standard. Use these frameworks as a guide to run your cybersecurity program and to increase visibility and order within your company.

Why adopting the NIST framework should be on your list of ‘to-do’s’

I would argue that the NIST CSF is the most robust yet understood framework to date. It covers five critical framework functions: Identify, Protect, Detect, Respond and Recover – all critical parts that require controls, policies, and procedures within your organization both inside and outside of your cybersecurity team.

Upon the recent release of the NIST Cybersecurity Framework version 1.1, The Under Secretary of Commerce for NIST, Walter Copan, noted that “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”

Additionally, the US Secretary of Commerce Wilbur Ross noted that “Cybersecurity is critical for national and economic security. The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs.”

Harnessing the wisdom of crowds

The quote above shows the bridge between security and business in action. CEOs and business leaders around the country have taken note of the importance of cybersecurity and data protection, especially of late. It’s important that we understand the implications of following an unorganized, less strategic set of cybersecurity controls. We owe it to our cybersecurity teams, our businesses and our customers to follow a strategic path to security. Thus, I advocate the use of the NIST Cybersecurity Framework, and recognized frameworks like it, to fuel your security program and strengthen your cybersecurity posture.

Those that had a hand in creating the framework knew the importance of creating a “framework to live by” – they shared the same vision. These individuals were sourced from different roles, industries, and had varying viewpoints and perspectives on cybersecurity and risk management. I believe that this crowd-sourcing methodology is exactly what makes the framework so robust. It draws from every angle the priorities and use cases of its creators, resulting in a framework that adds depth and breadth to your organization while being flexible enough to accommodate companies of any scale.

To draw a sharable understanding, I finish with this: You may gain considerable value from frameworks like the NIST Cybersecurity Framework because it “harnesses the wisdom of crowds.”


George Wrenn is the co-founder of privacy startup ZenPrivata and founded and served as CEO of CyberSaint Security--a leading IRM/GRC company. Prior to CyberSaint, he served as the VP/CSO globally for Schneider Electric. He has more than 30 years of experience in the field of cyber security, privacy, spanning technology, policy and management.

Prior to the present role, George was as a senior managing consultant with IBM helping cross-industry Fortune 1000 customers reach compliance to NIST, FISMA, ISO/IEC, HIPAA, PCI, NERC/CIP, and other key regulatory frameworks. He developed cybersecurity strategy, roadmaps, and global cybersecurity programs. He is also an expert in cloud security and has been awarded US patents in this area.

George served as director of security for a fully regulated financial services company, where he managed regulatory compliance efforts and the internal security office, protecting over $99 trillion in stock market transactions yearly. He later led cybersecurity product management and business improvement projects at RSA Security and EMC Corp.

George has been a graduate fellow at the MIT Sloan Management for four years, spent two years at the MIT Media Lab, and spent one year with the MIT ESD. He completed Harvard Business School Executive Programs focused on NPD and creation of new services & methodology, and received his B.A. from Harvard as well.

George has had a NSA sponsored ISSEP credential, a Certified Ethical Hacker (CEH) and CISSP for more than 12 years. He is a Six Sigma Black Belt and has Kaizen facilitator certifications. George has experience working with the complex Cloud, Government, IT, ICS, audit and national regulatory frameworks. He was also a mission oriented Operations Officer and SAR/DR Pilot (Officer 1st Lt. USAF/Aux).