top of page
  • Writer's pictureAnup Ghosh

Cyber Governance Drives New NIST CSF 2.0 Changes

The Download

Without much fanfare, NIST released the 2.0 version of the NIST Cyber Security Framework (CSF 2.0). Leading the changes is the incorporation of Cyber Governance as a top-level activity within the framework:

Cyber governance is the necessary oversight typically provided by executives or boards as part of their enterprise risk management (ERM) strategy and also as their fiduciary responsibility toward the companies they manage. Simply stated, cyber governance answers the fundamental question of "how do you know?" as eloquently put by Wes Spencer. More specifically, how do you know how well your security program has been constructed, controls implemented, and performance measured? The wrong time to find out is after an incident occurs.

The NIST CSF 2.0 approach is straightforward: in each of the major functional areas: Identify, Protect, Detect, Respond, and Recover, you need a governance function that provides oversight into (a) whether you have an appropriate plan and set of controls in place, and (b) to what extent you've properly executed against that plan with a measure of performance.

What You Can Do

If you do not have a cyber governance plan in place, it is time to get out in front of this. From a board governance standpoint, you will be able to ask and answer questions:

  • Do I have an adequate security program in place?

  • Do I have coverage of the five areas with key security controls?

  • How well am I doing in each of the five main areas of governance?

  • Where do I need to invest more in training, personnel, solutions?

As a managed service provider (MSP) cyber governance should be the first dashboard you show a client. It becomes a roadmap for capabilities to bring on for clients that are lacking, as well as a key dashboard for MBRs on how much progress you are making in securing the client.

Need help? ThreatMate platform builds cyber governance into its platform so you can get an immediate assessment of gaps and strengths in your cybersecurity program. Sign up today!

To learn more:



bottom of page