Connecting COBIT 2019 to the NIST Cybersecurity Framework

Connecting COBIT 2019 to the NIST Cybersecurity Framework
Author: Greg Witte, CISM, Security Engineer and Cybersecurity Instructor
Date Published: 23 December 2019

Among the most exciting projects I’ve worked on has been the integration of NIST’s Cybersecurity Framework with COBIT. Now, with the update of that project to COBIT 2019, entities around the globe will have a fresh and agile methodology for improving cybersecurity! The NIST CSF provides a model based on five functions: IDENTIFY important information & technology (I&T) and what threatens it; discuss and analyze how best to PROTECT I&T; determine how best to DETECT issues; RESPOND quickly and effectively; and, achieve organizational plans to RECOVER well. One challenge is that NIST decided not to provide detailed implementation guidance but prefers to let industry factors influence how the CSF is used. At times, what NIST publishes as agile guidance gets adopted as rigid, prescriptive criteria instead, so I can understand the hesitation to provide even an example recipe. But, how to apply this useful framework in a way that’s meaningful for my enterprise? Enter COBIT 2019!

ISACA’s new guide to Implementing the NIST Cybersecurity Framework with COBIT 2019 provides a method for using COBIT 2019’s processes to gain the benefits of the NIST CSF. COBIT is stakeholder-driven in that it begins with asking, “How do/should information & technology (I&T) bring value to those (e.g., owners, partners, customers) that have a stake in the organization’s success?” The important follow-up question to that is to ask, “How do I balance achievement of that value while optimizing both risk and resource considerations?” The new implementation guide steps the reader through COBIT 2019’s seven phases, showing how the NIST CSF steps and relevant COBIT activities work together to understand objectives, current state, risk implications, desired state and an action plan to get there and stay ahead. Notably, the guide describes COBIT’s updated features like Design Factors (added to bring agile customization) and Focus Areas (areas of governance and management that merit a particular bit of attention for this particular entity). In the same way, these updates help COBIT users create a flexible but meaningful model for enterprise governance and management of enterprise I&T, using COBIT and NIST CSF together to provide a way to plan and achieve a cybersecurity action plan and keep it up to date.

It is interesting that, in showing how to use COBIT for cybersecurity, colleagues have shared that the process helps them better understand COBIT itself. Some that might benefit from COBIT don’t initially grasp some of its use of terms like “stakeholder objectives” and “intrinsic and contextual elements of information quality criteria.” But when they step back and take a look at the common-sense approach COBIT brings, they understand that organizations don’t just want to “go through the motions” – they benefit from identifying what will best contribute to the organization’s success and how to get there. Thus, it makes sense to figure out our objectives for success based on what’s important to our stakeholders. It makes sense to combine COBIT’s proven governance and management methods and performance measurement activities to ensure successful achievement of those objectives. And, so, it makes sense to apply the lessons learned in COBIT’s 20-plus year history to govern and manage cybersecurity as an important element of stakeholders’ success.

ISACA will be offering courses in how to achieve that success, including a credential on using COBIT 2019 with NIST CSF. I’ve been fortunate to teach previous versions of that course, and the diverse ways that students use COBIT and NIST CSF are a testament to the value of these two frameworks, and the benefits of using the two together. I look forward to hearing how it helps you gain those benefits.