The X-Analytics NIST CSF 2.0 Report
For: Acme Financial Services, Inc.
Estimated for: April 2, 2024 to April 1, 2025
This assessment is for a particular profile. A profile can be built for an entire business, a business unit, a product line, a critical business application, and any other logical or physical business entity.
How to Use Your Assessment?
This assessment explores the next twelve months of your cyber risk condition from a financial perspective. It illustrates the major cyber themes and possibilities that may present themselves to your business, based on patterns formed between historical data, your unique business profile, and the macroeconomic cyber condition.
This is your business, and the estimates for the next twelve months is just one way to think about your cyber risk condition. Your business has experienced the realities of cyber risk in a different way. This assessment should be used in conjunction with your existing observations.
This assessment is not a prediction of a pre-determined future that precludes unknown conditions and changing human motivations. Use this assessment as a target at which to aim your actions. You are the agent of your cyber resilience strategy. Take what you need from this assessment to better manage, design, and communicate your cyber resilience strategy.
Executive Summary.
Your NIST Cyber Security Framework (CSF) 2.0 condition is summarized in three metrics. Each metric provides an essential element in understanding your implementation of NIST CSF.
Since Last Quarter.
Since last quarter, your NIST CSF 2.0 alignment has improved by 99.4% and your cyber exposure has improved by 25.4%.
Further Details.
Your NIST CSF 2.0 cyber risk condition is based on a combination of your exposure profile, asset applicability, threat and impact refinement, NIST CSF 2.0 implementation, and a set of macroeconomic cyber risk conditions that further calibrate cyber incident severity and probability.
Cyber Exposure
Cyber exposure is the sum of all possible impacts each multiplied by the probability of impact, which can be further expressed as a percent of annual revenue. Your cyber exposure includes the benefit of your control effectiveness.
Your current cyber exposure estimate is $51.2 million for the next twelve months, which can also be expressed as 2.05% of your annual revenue. To aid with making informed cyber risk decisions, cyber exposure if further divided into four exposure categories.
Question to ponder: Are you leveraging your cyber exposure values as part of the NIST Govern function, which includes organizational context, risk management strategy, oversight, and other critical govern categories?
If you are not satisfied with your current cyber exposure, then you may want to focus on improving your NIST CSF 2.0 implementation. With each implementation improvement, your cyber exposure will also improve.
Cyber Exposure Opportunity - The Top 5 NIST CSF Categories for Improving Cyber Exposure
As one option, you can focus on the top NIST CSF categories for improving cyber exposure. Any improvement within these NIST CSF categories would improve cyber exposure. The cyber exposure opportunity is based on a full implementation of the NIST CSF category. If the top 5 NIST CSF categories were fully implemented, your cyber exposure would improve by 60.6%.
NIST Category | Definition | Current Implementation | Opportunity w/ Full Implementation |
1.Continuous Monitoring (DE.CM) | Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events. | 60% | $8.25 milion |
2.Identity Management, Authentication, and Access Control (PR.AA) | Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access. | 50% | $7.85 million |
3.Platform Security (PR.PS) | The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability. | 50% | $7.51 million |
4.Data Security (PR.DS) | Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information | 70% | $3.76 million |
5.Asset Management (ID.AM) | Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. | 57% | $3.66 million |
Total | $31.03 million |
Other risk reducing options are available throughout this report and other X-Analytics reports.
NIST CSF Alignment
NIST alignment is the measure of how well your business has implemented NIST CSF Core, which is divided into a hierarchy of functions, categories, and sub-categories that each detail cybersecurity outcomes.
The NIST CSF outcomes are not a checklist of actions to perform. Specific actions taken to achieve an outcome will vary by organization and use case. Additionally, the prioritization of each function, category, and sub-category will vary by organization based on the organization's unique cyber exposure profile.
The structure of the NIST CSF Core is intended to resonate most with those charged with operationalizing risk management within the organization.
Your current NIST CSF alignment is 64.6%, which is worse than your target of 75% alignment. To achieve or maintain target, focus your actions on NIST Functions and/or Categories that are below target.
NIST CSF Function Alignment
There are six NIST CSF Functions, which are Identify, Protect, Detect, Respond, Recover, and Govern. Since all functions relate to each other, you may want to address concurrently. All functions have vital roles related to cybersecurity incidents. Identify, Protect, and Govern outcomes help prevent and prepare for cyber incidents, while Detect, Respond, and Recover outcomes help discover and manage cyber incidents.
The graph below represents your current implementation of the six NIST CSF functions in relation to your NIST CSF achievement target.
Opportunity for Improving Cyber Exposure by NIST CSF Function
The graph below represents which NIST CSF Functions offer the best opportunity for improving cyber exposure. The cyber exposure opportunity is based on a full implementation of the Function.
Question to ponder: Are you current and future cyber investments aligned with the functions that would best improve your cyber risk condition?
NIST CSF Category Alignment
Each NIST CSF Function is divided into Categories. The Categories are compromised of sub-categories, which are specific outcomes of technical and management activities. The Categories and sub-categories are not exhaustive, but they describe detailed outcomes that are meant to improve your cyber risk condition.
The graph below represents your current implementation of the NIST CSF categories in relation to your NIST CSF achievement target.
Opportunity for Improving Cyber Exposure by NIST CSF Category
The graph below represents which NIST CSF categories offer the best opportunity for improving cyber exposure. The cyber exposure opportunity is based on a full implementation of the category.
For more information related to your NIST CSF category achievement, please see your NIST CSF sub-category answers within the X-Analytics profile builder.
NIST CSF Tier
NIST Tier is the characterization of rigor related to your organization’s cybersecurity risk governance practices and cybersecurity risk management practices as defined within NIST CSF 2.0.
You may select to use the NIST CSF Tiers to inform your organization's current and target NIST profiles. The Tiers provide a context on how your organization views cybersecurity risks and the processes in place to manage those risks. The NIST CSF Tiers are meant to complement your organization's cybersecurity risk management methodology rather than replace it.
NIST CSF 2.0 has four tiers and each tier level has a descriptive name and definition. Tier 1 is "partial", Tier 2 is "risk informed", Tier 3 is "repeatable", and Tier 4 is "adaptive".
Your current NIST CSF Tier of 2.70 (repeatable rigor) is worse than your target of 3.00.
What does your NIST Tier Achievement Mean?
Below, is the definition of your current tier achievement with some caveats since your organization is not fully at a 3.00 (or fully at a repeatable rigor).
There is an organization-wide approach to managing cybersecurity risks.
Cybersecurity information is routinely shared throughout the organization.
Consistent methods are in place to respond effectively to changes in risk.
Personnel posses the knowledge and skills to perform their appointed roles an responsibilities.
The organization consistently and accurately monitors the cybersecurity risks of assets.
Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risks.
Executives ensure that cybersecurity is considered through all lines of operation in the organization.
The organization risk strategy is informed by the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.
Personnel formally act upon those risks through mechanisms such as written agreements to communicate baseline requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.
These actions are implemented consistently and as intended and are continuously monitored and reviewed.
NIST CSF Tier Achievement by Function
The table below represents your tier achievement by NIST CSF Function, and further represents the delta to your target state.
NIST CSF Function | Current Value | Target | Delta |
Identify | 2.60 | 3.00 | -0.40 points |
Protect | 2.70 | 3.00 | -0.30 points |
Detect | 2.45 | 3.00 | -0.55 points |
Respond | 3.12 | 3.00 | +0.12 points |
Recover | 2.63 | 3.00 | -0.37 points |
Govern | 2.70 | 3.00 | -0.30 points |
Estimated Cyber Exposure by NIST CSF Tier Achievement
The graph below represents what your cyber exposure would be at each NIST CSF Tier position. Your organization's current NIST Tier is 2.70, and your current cyber exposure is $51.2 million. You may notice that your current cyber
You may notice that your current cyber exposure is better than what the graph represents. This is due to the fact that your organization has implemented NIST CSF categories and sub-categories with a higher rigor that is producing better cyber exposure values than what is estimated in the graph.
In Summary
Your NIST CSF 2.0 cyber risk condition is summarized in three metrics. Each metric provides an essential element in understanding your implementation of NIST CSF.
Exposure Ratio
1. Your current cyber exposure is $51.2 million (or 2.05% of revenue).
2. You may want to use your cyber exposure value as a key component within the NIST CSF Govern function.
3. If you focus on the top 5 NIST CSF categories for improving your cyber exposure, you could further reduce your cyber exposure by 60.1%.
NIST CSF Alignment
1. Your current NIST CSF alignment of 64.6% is below your target of 75% alignment.
2. The NIST CSF Protect Function offers the best improvement to your cyber exposure. If fully implemented, the Protect function could further reduce your cyber exposure by $22 million.
3. The NIST CSF Continuous Monitoring (DE.CM) category offers the best improvement to your cyber exposure. If fully implemented, the Continuous Monitoring (DE.CM) category could further reduce your cyber exposure by $8 million.
NIST CSF Tier
1. Your current NIST CSF Tier score of 2.70 is worse than your target of 3.00.
2. Your current NIST CSF Tier score of 2.70 means that your organization has a "repeatable" rigor that indicates your organization has an organization-wide approach to cyber risk management and that your actions are implemented consistently.
3. If you were to achieve a NIST Tier of 3.50, then your estimated cyber exposure would improve by 44%.
Comments