Cybersecurity Frameworks for Managing Cyber Risks

🌐 NIST SP 1331: Tackling Emerging Cybersecurity Risks with CSF 2.0 NIST’s new draft Quick-Start Guide (SP 1331) highlights how organizations can strengthen their resilience against emerging risks by leveraging the Cybersecurity Framework (CSF) 2.0. 🔍 Key Takeaways Two Types of Emerging Risks: Risks known to some but not all (e.g., ransomware, phishing, DDoS). Risks unknown to everyone, with no prior mitigations demanding adaptive responses. Systems-of-systems complexity (IT, OT, IoT, AI/ML) amplifies unpredictability and requires multi-disciplinary risk approaches. ERM Integration: Aligning CSF 2.0 with Enterprise Risk Management (ERM) enables better prioritization, governance, and resource allocation. CSF 2.0 in Action: Govern: Update policies, roles, and oversight to account for emerging risks. Identify: Leverage risk registers, BIAs, and root-cause analysis for stronger visibility. Protect: Build resilience via segmentation, redundancy, and zero-trust practices. Detect/Respond/Recover: Accelerate detection, improve crisis response, and ensure prioritized recovery with alternative communication strategies. Improvement Loop: Lessons learned from incidents must feed directly into governance and planning cycles. 💡 Action Steps for CISOs & Risk Leaders Embed emerging risks into policy, strategy, and role definitions. Strengthen containment and redundancy mechanisms to prevent cascading failures. Use cross-domain coordination (IT, OT, AI, ERM) to anticipate novel risks. Treat resilience as an enterprise-wide mandate, not just a security function. Bottom Line: Preparing for the unknown unknowns of cybersecurity requires CSF 2.0 not just as a checklist, but as an adaptive governance model. Emerging risks demand foresight, flexibility, and continuous improvement. #NIST #CSF2 #CyberResilience #RiskManagement #ERM #Governance #CybersecurityFramework #CISO #EmergingRisks #ZeroTrust

The National Institute of Standards and Technology (NIST) has released a draft of its “Cybersecurity Framework Profile for Artificial Intelligence” (open for public comment until Jan 30, 2026) to help organizations think about how to strategically adopt AI while addressing emerging cybersecurity risks that stem from AI’s rapid advance. Building on the #NIST Cybersecurity Framework 2.0, the Cyber AI Profile translates well-established risk management concepts into AI-specific cybersecurity considerations, offering a practical reference point as organizations integrate AI into critical systems and confront AI-enabled threats. The Cyber AI Profile centers on three focus areas: • Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure. • Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations. • Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats. The Profile complements existing NIST frameworks (CSF, AI RMF, RMF) by prioritizing AI-specific cybersecurity outcomes rather than creating a standalone regime.

As I’ve been digging into the #CybersecurityFramework 2.0, and helping clients navigate the changes, I’ve found several areas where the new additions feel pretty significant. If you’re already using the #CSF and trying to figure out where to focus first, take note of these new Categories: ◾ The POLICY (GV.PO) Category was created to encompass ALL cybersecurity policies and guidance. Now, on one hand it might seem like a "well, of course" moment to consolidate all cybersecurity policies into one place - on the other hand, policies were previously sprinkled throughout the CSF, and were tied to specific actions like Asset Management or Incident Response. Now, it's all in one area, which makes a ton of sense and simplifies things, but also means we've got to remember that this one Category covers everything! ◾ Another significant addition is the PLATFORM SECURITY (PR.PS) Category which largely pulls together key topics from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) focusing on security protections around broader platform types (hardware, software, virtual, etc.). If you’re looking for things like configuration management, maintenance, and SDLC – you’ll now find them here.  ◾ The TECHNOLOGY INFRASTRUCTURE RESILIENCE (PR.IR) Category pulls largely from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) as well, but also pulls in key aspects from Data Security (PR.DS). This new Category highlights the need for managing an organization’s security architecture and includes security protections around networks as well as your environment to ensure resource capacity, resilience, etc. So, what does all this mean for your organization? Whether you're just starting out, or you're looking to refine your existing cybersecurity strategies, CSF 2.0 offers a more streamlined framework to use to bolster your cyber resilience. Remember, staying ahead in cybersecurity is a continuous journey of adaptation and improvement. Embrace these changes as an opportunity to review and enhance your cybersecurity posture, leveraging the expanded resources and guidance provided by #NIST! Have you seen the updated mapping NIST released from v1.1 to v2.0? Check it out here to get started and “directly download all the Informative References for CSF 2.0” 👇 https://lnkd.in/e3F6hn9Y

𝟏𝟎 𝐂𝐲𝐛𝐞𝐫𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤𝐬 𝐌𝐨𝐬𝐭 𝐓𝐞𝐚𝐦𝐬 𝐈𝐧𝐡𝐞𝐫𝐢𝐭 - 𝐍𝐨𝐭 𝐂𝐡𝐨𝐨𝐬𝐞 ! A big customer asks for SOC 2. A regulator mentions ISO or NIST. Suddenly your “strategy” becomes a messy stack of rules that nobody can clearly explain. Frameworks were meant to reduce confusion. Not multiply it. Here’s the truth 👇 If you remove the logos, most cybersecurity frameworks answer the same few questions: – What are we protecting, and how critical is it? – Which controls reduce real attacks first? – How do we prove trust to customers and regulators? – How do we improve over time instead of ticking boxes once? That’s it. The 𝟏𝟎 𝐦𝐚𝐣𝐨𝐫 𝐟𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤𝐬 simply sit at different points of that map. Some shape strategy: ➤ NIST CSF gives structure and direction Some formalize governance: ➤ ISO 27001 / 27701 turn security into a certifiable system Some drive action: ➤ CIS Controls tell engineers where to start Some build external trust: ➤ SOC 2, PCI DSS, HIPAA, HITRUST speak auditor language Some go deep where risk is highest: ➤ CSA CCM, NIST 800-53, 800-171 for cloud and government needs 𝐓𝐡𝐞 𝐦𝐢𝐬𝐭𝐚𝐤𝐞? Treating frameworks like competing religions. Strong 𝐭𝐞𝐚𝐦𝐬 𝐬𝐭𝐚𝐜𝐤 𝐭𝐡𝐞𝐦. One shapes strategy. One drives execution. One proves trust. Over time, the question changes from: “𝐀𝐫𝐞 𝐰𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐭 𝐰𝐢𝐭𝐡 𝐗?” To: “𝐖𝐡𝐢𝐜𝐡 𝐦𝐢𝐱 𝐛𝐞𝐬𝐭 𝐞𝐱𝐩𝐥𝐚𝐢𝐧𝐬 𝐨𝐮𝐫 𝐫𝐢𝐬𝐤 𝐬𝐭𝐨𝐫𝐲 𝐭𝐨 𝐭𝐡𝐞 𝐩𝐞𝐨𝐩𝐥𝐞 𝐰𝐡𝐨 𝐦𝐮𝐬𝐭 𝐭𝐫𝐮𝐬𝐭 𝐮𝐬?” That’s when frameworks stop being paperwork and start acting like an operating system for security. Which framework actually helps your team make better decisions today? 👇 Which one does your organization rely on most right now? ------------ Hi, I'm Harris D. Schwartz 𝐅𝐫𝐚𝐜𝐭𝐢𝐨𝐧𝐚𝐥 𝐂𝐈𝐒𝐎 𝐚𝐧𝐝 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐋𝐞𝐚𝐝𝐞𝐫. I help CEOs and executive teams strengthen their security posture and build resilient, compliant organizations. With 𝟑𝟎+ 𝐲𝐞𝐚𝐫𝐬 𝐚𝐜𝐫𝐨𝐬𝐬 𝐍𝐈𝐒𝐓, 𝐈𝐒𝐎, 𝐏𝐂𝐈, 𝐚𝐧𝐝 𝐆𝐃𝐏𝐑, I know how the right security decisions reduce risk and protect growth. If you are planning how your security program needs to evolve in 2026, this is the right time to have that conversation. #CyberSecurity #SecurityFrameworks #RiskManagement #CISO #ISO27001 #NIST #SecurityStrategy

Navigating Europe's New Digital Resilience Framework: NIS2 and DORA The EU's Digital Operational Resilience Act (DORA) and Network and Information Systems Directive (NIS2) are reshaping cybersecurity requirements across critical sectors. While DORA targets financial institutions with specific ICT risk management frameworks, NIS2 covers essential entities across eleven sectors including energy, transport, and healthcare. Both frameworks establish strict incident reporting timelines and emphasize senior management accountability. DORA requires notification within four hours of incident classification, while NIS2 mandates reporting within 24 hours. Non-compliance carries significant penalties, with NIS2 fines reaching EUR 10 million or two percent of global turnover for essential entities. The global implications extend beyond EU borders through third-party service provider requirements. Organizations worldwide working with covered entities must understand these obligations to maintain business relationships and competitive positioning. Even companies not directly subject to these requirements should consider adopting their risk management principles. Regular third-party assessments, penetration testing, and comprehensive audit practices represent emerging industry standards that strengthen operational resilience across all jurisdictions. The convergence of these frameworks signals a fundamental shift toward proactive risk management in our interconnected digital economy. Organizations that embrace compliance as a strategic advantage will build stronger, more resilient operations. #ISAA #Cybersecurity #RiskManagement #DORA #NIS2 #DigitalResilience #Compliance

🔒 Cyber GRC: Essential Steps in Light of SEC Cyber Rule, NIST CSF 2.0, and CISA CIRCA 🔒 In today's dynamic digital landscape, managing cybersecurity goes beyond merely protecting systems. It's about Cyber GRC (Governance, Risk, and Compliance)—a comprehensive approach to aligning cybersecurity measures with business strategy, mitigating risks, and ensuring compliance with regulations. With the recent SEC Cyber Rule, NIST CSF 2.0, and CISA CIRCA, Cyber GRC's importance has reached new heights. Here's how you can leverage Cyber GRC to stay ahead: Governance: Establish a robust cybersecurity governance structure that sets clear policies and responsibilities. Define how your organization's cyber strategy aligns with business goals and industry standards like the NIST Cybersecurity Framework (CSF) 2.0. Risk Assessment: Regularly evaluate cyber risks to identify vulnerabilities and potential threats. Incorporate CISA CIRCA guidelines to manage cyber incidents effectively, minimizing business impact. Compliance: Ensure adherence to the new SEC Cyber Rule, which mandates disclosure of cyber incidents and proactive measures to safeguard data. Keep up-to-date with evolving regulations to maintain compliance and avoid penalties. Incident Response: Develop a comprehensive incident response plan, integrating guidance from CISA CIRCA and NIST CSF 2.0. Test and refine it regularly to ensure swift action when needed. Continuous Improvement: Cyber GRC is an ongoing process. Monitor performance, conduct audits, and adapt strategies to address emerging threats and regulatory changes. By integrating Cyber GRC into your organization's DNA, you can navigate the evolving cyber landscape confidently. This holistic approach safeguards against risks, maintains compliance, and ensures your cyber strategy supports business growth. How is your organization adapting to the new regulatory landscape?

Building Resilience: Choosing the Right Cybersecurity Framework for 2026 🛡️ In an era of evolving AI-driven threats and complex supply chain risks, a "one-size-fits-all" approach to security no longer suffices. Organizations today must move beyond basic compliance toward true operational resilience. Three frameworks continue to stand as the global pillars for establishing a robust security posture: 🔹 NIST CSF (v2.0): The strategic gold standard. With the recent addition of the 'Govern' function, NIST emphasizes that cybersecurity is a top-down enterprise risk, not just an IT problem. It’s highly flexible and outcome-focused. 🔹 ISO/IEC 27001: The hallmark of global trust. As a certifiable standard, it provides a rigorous, process-driven Information Security Management System (ISMS) that proves your commitment to security to partners and regulators worldwide. 🔹 CIS Controls (v8.1): The tactical playbook. For teams needing immediate, prioritized, and actionable defense steps, the CIS Critical Security Controls offer the most direct path to mitigating the most prevalent cyber attacks. Whether you are building from the ground up or maturing an enterprise program, these frameworks are not mutually exclusive—they are complementary. Which framework is your organization prioritizing this year? Let’s discuss in the comments. 👇 #Cybersecurity #RiskManagement #NIST #ISO27001 #CISControls #Infosec #AppSec #Compliance #DrAryendraDalal

🛡️ Overview of the Six NIST CSF Functions vs ISO 27001 ➡️ NIST CSF provides a flexible, high-level and business-centric approach broken down into six clear functions that guide organizations from governance all the way to recovery. It encourages continuous risk evaluation and is accessible for organizations at various maturity levels without a requirement for certification. ➡️ ISO 27001 is a formal international standard focusing on establishing a documented and certifiable Information Security Management System (ISMS). It encompasses a detailed set of controls from Annex A that align to various cybersecurity domains covered within the NIST CSF functions but promotes a more prescriptive, process-driven approach requiring formal audit and certification. ➡️ Key Decision Points for Organizations Use NIST CSF if flexibility, risk prioritization, and a maturity-driven approach are important, especially if formal certification is not necessary or cost prohibitive. ➡️ Use ISO 27001 if a formal, internationally recognized certification is needed to meet regulatory, contractual, or business partner requirements. Many organizations adopt NIST CSF to lay a practical cybersecurity foundation and then pursue ISO 27001 certification as they mature operationally and compliance demands increase. Together, these frameworks can be complementary, helping organizations build resilient cybersecurity programs aligned with both business needs and compliance mandate. #Cybersecurity #Infosec #CyberRisk #InformationSecurity #ISO27001 #NISTCSF #CyberResilience #CyberGovernance #CyberDefense #DataProtection #CybersecurityStandards #RiskManagement

Here are 6 Ways organizations can Protect themselves from Cybersecurity attacks. These steps can help any organization build a stronger cybersecurity posture. As a Cybersecurity professional, you don't have to re-invent the wheel to keep your organization safe. There are many cybersecurity frameworks that can guide you there. Today, I'm focusing on the NIST CSF 2.0. The NIST CSF 2.0 is a volunteer framework that, at minimum, every organization should be following. Here are the 6 Steps within the framework: 1. GOVERN - The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. It provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. 2. IDENTIFY - The organization’s current cybersecurity risks are understood. Understanding the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organization to prioritize its efforts consistent with its risk management strategy and the mission needs identified under it. 3. PROTECT - Safeguards to manage the organization’s cybersecurity risks are used. Once assets and risks are identified and prioritized, it supports the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events, as well as to increase the likelihood and impact of taking advantage of opportunities. Outcomes covered include identity management, authentication, and access control; awareness and training; data security; platform security (i.e., securing the hardware, software, and services of physical and virtual platforms); and the resilience of technology infrastructure. 4. DETECT - Possible cybersecurity attacks and compromises are found and analyzed. It enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. It supports successful incident response and recovery activities. 5. RESPOND - Actions regarding a detected cybersecurity incident are taken. It supports the ability to contain the effects of cybersecurity incidents. Outcomes cover incident management, analysis, mitigation, reporting, and communication. 6. RECOVER - Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts. MUST HAVE: → Strong Cybersecurity Culture Don't have all of these above in place? It's ok. Start building toward them. The goal is to get stronger every day. Questions on keeping your organization safe? DM me. Keep this in your back pocket by saving this. 💾 Repost for others ♻️

Enough gatekeeping. You don’t need coding to start in all fields of cybersecurity not in GRC, not even in security awareness. Coding can help later, but it’s not a barrier to entry. If you’re curious about Governance, Risk & Compliance (GRC) which is the “policy side” of cybersecurity, here’s a roadmap you can actually understand 👇 🔹 1. Learn the Basics Start with how cyber risks work and why companies care about data privacy (laws like GDPR or HIPAA). 👉 NIST Cybersecurity Framework – https://lnkd.in/d5jqWw3d 👉 GDPR Basics – https://lnkd.in/dh5X_nWS 🔹 2. Understand Frameworks These are “rulebooks” that guide organizations. Popular ones: • ISO 27001 → international standard for securing info • NIST CSF → U.S. framework for managing cyber risks • COBIT → focuses on IT governance 👉 ISO 27001 – https://lnkd.in/dFi7s5uE 👉 COBIT – https://lnkd.in/dCvyh6Xg 🔹 3. Get Into Compliance & Audits This is simply checking: “Are we following the rules?” • Learn how audits work • Try compliance checklists for GDPR or PCI DSS (used for payment card security) 👉 PCI DSS – https://lnkd.in/dqCSb38c 👉 GDPR Checklist – https://gdpr.eu/checklist/ 🔹 4. Explore GRC Tools Companies use platforms to track risks and compliance. Look up: • RSA Archer • ServiceNow GRC • AuditBoard 👉 ServiceNow GRC – https://lnkd.in/djzC2uK5 🔹 5. Security Practices Everyone Should Know Even in GRC, you should understand basics like: • Encryption (locking data) • MFA (two-step login) • Incident response (what to do when hacked) 👉 CISA Incident Response Guide – https://lnkd.in/dBxQh7MZ 🔹 6. Soft Skills Matter Cybersecurity isn’t just tech. GRC pros need to: • Write clear reports people can understand • Communicate with leadership & technical teams 👉 SANS on Cybersecurity Communication – https://lnkd.in/dRKX3DiM P.S: Coding is not the gatekeeper to cybersecurity. You can start in some field, including GRC, without it. Over time, technical knowledge will make you stronger, but it’s not the ticket in.