Adoption of the NIST Cybersecurity Framework (CSF) is improving organizations’ security confidence, but is presenting implementation challenges, according to research released by Tenable on Tuesday. Over two-thirds of those surveyed said the NIST CSF represents industry best practices, and while half of those who have adopted or expect to adopt the framework say it requires a high level of investment, it is the security framework most likely to be adopted by organizations over the next year.
The Trends in Security Framework Adoption (PDF) report is based on a survey of more than 300 security professionals at US organizations of various sizes. It found that 84 percent of those surveyed currently use at least one security framework, and while 44 percent use more than one, nearly one in six have no cybersecurity framework at all in place.
PCI is the most commonly used framework at 47 percent, followed by ISO 27001/27002 (35 percent) and CIS (32 percent). Twenty-nine percent reported their organizations have adopted the NIST CSF. The NIST framework was launched in early 2014, and made official late that year, so it is still relatively new, but 14 percent say they will adopt it this year, ahead of CIS (12 percent) and ISO (9 percent).
“Historically, CISOs have been hesitant to take full advantage of the NIST Cybersecurity Framework because of a high investment requirement and a lack of regulatory mandate,” Ron Gula, CEO, Tenable Network Security said in a statement. “This is changing as organizations begin to shift their mindset from moment-in-time compliance with frameworks like PCI DSS to continuous conformance with the NIST Cybersecurity Framework.”
Tenable notes that 64 percent of organizations adopt the NIST CSF without implementing all of the recommendations, largely due to the perceived investment and lack of regulatory requirement. More than four out of five organizations planning to adopt the NIST CSF in the next year will likewise not adopt all of the recommended controls.
“The NIST Cybersecurity Framework is one of the most thorough and reliable cybersecurity frameworks available, but it can be challenging for CISOs to conform to these standards all the time,” said Gula, emphasizing how Tenable’s solution helps organizations automate and simplify NIST Cybersecurity Framework adoption.
Tenable’s NIST CSF solution provides framework-specific dashboards in Tenable’s SecurityCenter Continuous View. The company says it can automate more than 90 percent of the technical controls
Tenable will present a webinar on its NIST CSF dashboards on Apr. 8.