We recently had a client reach out, asking for a “…comprehensive list of all the tools currently deployed… to detect “bad stuff”.” The purpose of their inquiry was to present an overview for their board of directors, as well as executive leadership.
Our website offers some typical marketing fluff descriptions of our services on the public-facing pages, but since many of our clients work with external auditors, we have created a hidden resources page where such auditors can get a more detailed description of not only the technologies that detect “bad stuff”, but speak to our processes behind managing those technologies. After all, detection via an alert means nothing if the process is broken and no one is paying attention to see it. [side note: if you are a client and need access to this resource page, reach out and we’ll provide directions for access].
However, we felt an even more important item to convey to the board and executive team is our approach as to how we select security tools to be part of our “stack”. Part of the challenge we face as a solutions provider is that there are hundreds if not thousands of security tools on the market, and as one of our vendors referred to the process, we have to play “Security Tool Tetris” to figure out which pieces fit together the best to provide comprehensive coverage. As a result, about a year and a half ago, we had to decide how to best make those decisions, and the way to do so was to adopt an industry accepted framework as the lens through which we’d assess both our existing tool stack, along with what gaps existed so that we could focus on finding the right tools to fill those gaps.
As a result, we mapped all of our offerings to version 1.1 of the NIST Cyber Security Framework. We focused on the highest-level known as the Five Functions – Identify, Protect, Detect, Respond, Recover. However, a thorough security approach requires a deeper engagement, so we’ve gone literally two steps further and starting about six months ago, mapped both our technologies and recommended approaches to the 14 Categories and 110 Subcategories of NIST 800-171 rev2. Upon request or when applicable, we can provide clients a summary of not only our technologies, but recommended approaches for all 110 subcategories. This level detail is much more detailed than necessary for a board review. However, what’s critical is that they know we’re not making selections in a vacuum.
Suite3 is actually helping our clients adhere to NIST standards whether they realize we are or not.
However, Suite3’s involvement only covers some of the requirements. To be fully NIST compliant, an organization’s internal policies and procedures have to be in sync and requires the organization to holistically follow a security mindset. Feel free to reach out to have a deeper discussion about the NIST framework and how it should be applied to your organization.