DIY vs. Services Under NIST 2.0

The NIST 2.0 Cybersecurity Framework (CSF) categorizes cybersecurity operations into five core functions. These functions are Identify, Protect, Detect, Recover, and Respond. A new wrapper function called Govern now covers all these categories. This blog explores where external assistance is essential for handling major controls within these functions and where DIY efforts often fall short.

Identify:

Penetration Testing and Risk Assessments are prime candidates for outsourcing under the Identify pillar. Effective Penetration Testing should not only identify exploitable vulnerabilities but also continuously or periodically assess and map these findings through Business Impact Analysis (BIA). This process helps prioritize risks and provides deeper insights than simply identifying existing gaps. Similarly, a robust Risk Assessment program must be asset-aware, offering context for security gaps and a roadmap for the security journey. Since these functions audit an organization’s security capabilities, they are best delivered externally to avoid conflicts of interest, making them essential for external services.

Protect:

The average organization utilizes between 40 to 70 security tools within its stack. This complexity creates a significant onboarding challenge for new staff and often requires specialized knowledge that may be unique to the organization. External services under the Protect pillar can bridge gaps in IT knowledge, ensure best practice implementation, and provide 24/7 availability when internal teams cannot manage the entire security infrastructure. While many Protect controls can be managed in-house, it’s crucial for each organization to assess its capabilities across the entire stack to identify where external help is necessary.

Detect:

Managed Detection and Response (MDR) services are crucial for the Detect function. Maintaining a 24/7 Security Operations Center (SOC) is cost-prohibitive for most organizations, and even the largest enterprises often rely on external platforms, threat intelligence, and rule sets. MDR services offer a compelling case for outsourcing because the costs of maintaining in-house SOC staff and developing effective detection platforms far exceed what most organizations can sustain. Major MDR providers invest significantly in backend development and support, making their services far more effective than any DIY solution could be.

Respond:

Every organization must have an Incident Response (IR) Retainer, an IR Plan, and external communication channels for incident management. In the event of a cyber incident, internal systems could be compromised, making it critical to have external resources in place. When selecting an IR Retainer, ensure that the provider is approved by the Cyber Insurance company to avoid any complications during an incident. This makes Incident Response another key area where external services are not just beneficial but necessary.

Recover:

Disaster Recovery (DR) operations should be segregated and immutable to protect recovery infrastructure during a cyber-attack. The need for 24/7 coverage, continuous auditing, and frequent testing makes DR an ideal function for external service delivery. Both DR and IR plans should be tested regularly to ensure they function smoothly when needed most.

Govern:

Governance wraps around all other functions, covering Governance, Risk, and Compliance (GRC), and policies, processes, and procedures. Compliance demands deep expertise in specific standards, and proper governance requires external oversight. The complexity and the need for thorough auditing make external services essential for effective governance.

Several controls across the NIST 2.0 Cybersecurity Framework are better suited for external delivery rather than in-house solutions. For assistance with any of the challenges discussed or questions about achieving organizational security goals, InterVision is here to help. Let’s explore how InterVision can support cybersecurity needs.