After months of anticipation, NIST Cybersecurity Framework 2.0 has been officially launched! We have incorporated this framework into our services for our small business clients throughout the past year, even in its proposed format.

The main difference between version 1.1 and 2.0 lies in the introduction of a new “governance” layer, which acknowledges the crucial role that an organization’s management plays beyond technology. This updated framework recognizes that cybersecurity is not solely the responsibility of technology; it also involves organizational governance.

Although NIST Framework 2.0 provides a standardized common language for managers and technical staff, we found that it remains shrouded in mystery and myths perpetuated by unscrupulous security and cloud vendors. However, we discovered that implementing best standard business practices is key to securing small businesses. These practices include good organizational compartmentalization, systems isolation, cohesive team coordination, transparent and redundant team roles, effective backup and recovery policies such as mean-time-to-report, max-time-to-recovery, proactive risk management, payment for ransomware, and prioritizing security with people over machines.

In the coming months, we will collaborate with your management to incorporate risk management, division of labour, and help set up policies that align with this updated framework.