Welcome to part two of our three part series where we will explore the relationship between NIST’s recently updated cybersecurity framework (NIST CSF), which is one of the most well-adopted security frameworks globally and is considered a gold-standard for security practitioners, and NIST’s privacy framework (NIST PF) in creating privacy and security resilience at companies.
The US National Institute of Standards and Technology’s (NIST) cybersecurity and privacy frameworks help businesses identify, understand, manage, and reduce their cybersecurity and privacy risk.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. It was originally introduced in 2014 and updated in 2018 and 2024.
What is the NIST Privacy Framework?
The NIST Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. It was originally introduced in Jan 2020.
Both the NIST Cybersecurity Framework 2.0 and the NIST Privacy Framework have implementation tiers to help companies understand the maturity of their cybersecurity and privacy risk programs. The implementation tiers show overall risk posture. The higher the tier a company achieves, the more mature, more resilient their programs. The business benefits are many, including avoiding regulatory scrutiny and fines, avoiding reputational damage, fewer or less serious data breaches, building loyalty and customer trust, reduced sales delays, and more as outlined in the 2023 CIPL and CISCO 2023 report on the Business Benefits of Investing in Data Privacy Management Programs.
Source: the 2023 CISCO & CIPL report on Business Benefits of Investing in Data Privacy Management Programs
The Minimum Organizations Should Strive for is Tier 3: Repeatable.
Many companies are in a Tier 2 Risk-Informed striving for Tier 3 Repeatable. They are shifting from security and privacy as merely a compliance requirement, but see it more as a business-risk reduction benefit.
Tier 3: Repeatable of the NIST Implementation tiers is where companies have policies that are formally approved by leadership, are documented, and updated. There is an organizational-wide approach to managing cybersecurity and privacy risk. The company is able to quickly respond to security and privacy incidents. And the company has the technical capacity in place to address ecosystem and third party risk.
From a privacy perspective, companies must have a true understanding of their data processing posture in order for the rest of their privacy programs and risk mitigations to be meaningful. Companies need to document that activity & show leadership the privacy risk as organizational risk. Companies need the technical capacity to address their data processing risk.
Source: DataGrail. Informed by the NIST implementation tiers
Getting to Acceptable Privacy Risk Level with Technological Capacity
To have repeatable, scalable, and automated processes to address a company’s privacy and security risk, you need the proper technological capacity.
From a data privacy perspective, many companies have unknown data processing (shadow IT, shadow AI, and shadow data processing). They have data sprawl due to hundreds of business applications and systems processing their customer and employee personal data. Many modern businesses were not designed with privacy in mind and struggle with “bolted on” privacy programs. Oftentimes, companies try to solve data privacy issues in house with little to show for their efforts, which is a significant time-sink. Evolving regulations pose a threat, with legislative landscapes around data privacy and data protection imaturing with new laws and regulations every year. People — consumers, employees, and investors — expect and demand more privacy and data processing transparency from the brands they do business with, as well.
Solving Data Privacy with Purpose-built Privacy Technology
Security practitioners often wonder if they can use existing security technologies to solve privacy. To solve the privacy problem, you need purpose-built privacy solutions.
DataGrail is a purpose-built privacy solution that guides brands from a reactive, inconsistent, and manual data privacy posture to a proactive and fully automated program. DataGrail’s complete data privacy platform is powered by Risk Intelligence that enables brands to automate and scale effective privacy programs to reduce business risk.
Key Takeaways
Companies can use NIST’s cybersecurity and privacy frameworks to help identify, understand, manage, communicate about, and reduce their cybersecurity and privacy risk.
If you want to learn more about how to manage data privacy risk, DataGrail partners with brands on their data privacy journey to minimize risk, stay a step ahead of consumer and employee expectations, and save increasingly scarce resources.
Further Learning Resources
- NIST Cybersecurity Framework 2.0
- NIST Privacy Framework
- NIST AI RIsk Management Framework
- “Let’s Get Technical: Talking Privacy with Your CISO” presentation at the DataGrail Summit by Brandon Greenwood, CISO of Bed Bath & Beyond and Jonathan Agha, CISO of FanDuel
- DataGrail Newsletter