In this fourth of a six-part series, we will introduce the “Detect” function of the NIST-CSF.
The three categories in this function – Anomalies and Events, Security Continuous Monitoring, Detection Processes – are somewhat aligned with the three categories that comprise risk as defined in most risk management standards: Threat, Vulnerability, and Consequence. Anomaly detection is used to understand attack targets and methods, in other words: sift through the noise of the massive data volumes a system has to deal with every second. This is also part of the traditional data assurance task. Security monitoring of the physical, cyber, and human components of an enterprise system is the equivalent of mitigation vulnerabilities. It is introspective in that the main focus is looking at the organization and its systems and assets independently of external threats.
The advantage of giving priority to internal security is that the organization actually controls those systems and assets and should be very familiar with their (good or poor) performance. Strengthening internal security is far easier, and cheaper, than trying to predict or prevent any and all external threats. To use a common analogy: You cannot prevent another vehicle from hitting your car, but you can at least wear a seatbelt. We at novaturient specialize in organizational performance and change management, and analyzing companies’ strengths and weaknesses.