NIST Framework: You’ve Heard It, Lot’s of People Refer to It, But Do You Know What the NIST Security Framework is…
If forced to… (sales person to client) could you explain what the NIST Security Framework is?
NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.
How will you answer?
If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…
(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).
Either way, it’s important to know NIST if you’re going to talk security. So here’s the simple “sales person level” overview…
Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).
In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.
- What are you trying to protect?
- What are your relevant threats?
- How likely are you to be able to detect and respond before damage is done?
These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.
PDR – The Core of NIST, But Selling It Requires Strategy
The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process. Your client/prospect won’t know my name, but they can Google NIST.
It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.
But getting buyers to part with money for NIST is a hard hill to climb. Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.
The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.
If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!
The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).
Finally -Recovery…As in Disaster Recovery
My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.
In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.
However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…
Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).
Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).
© 2017, David Stelzl