Understanding the NIST Cybersecurity Framework: A Guide for CPAs and Financial Executives

In the rapidly evolving landscape of cybersecurity, the terms "identify," "protect," "detect," "respond," and "recover" have become ubiquitous. These five functions form the backbone of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), first introduced in 2014. Initially aimed at critical infrastructure, the CSF has since gained traction across various industries, providing organizations of all sizes with a robust foundation for managing cybersecurity risks. With the recent release of CSF version 2.0 (CSF2), significant updates have been made to enhance its applicability, particularly for the accounting profession.

Current CPA Use of the CSF

Certified Public Accountants (CPAs) have increasingly integrated the CSF into their practices to bolster client service delivery and safeguard sensitive data. For instance, when conducting assurance services like the "SOC for Cybersecurity" examination, CPAs can utilize the CSF as a benchmark, provided it aligns with the AICPA’s attestation standards. This framework is also instrumental in management accounting, where CPAs assess and manage cybersecurity risks as part of their responsibilities.

Moreover, CPAs offering cybersecurity advisory services have found the CSF to be a valuable tool. Intuit’s Tax Pro Center highlights its utility in delivering cybersecurity advisory services, while the AICPA’s Tax Advisor journal emphasizes the CSF’s role in helping tax professionals comply with IRS and state data protection regulations. As organizations increasingly recognize the importance of cybersecurity, CPAs are well-positioned to guide their clients through the complexities of risk management.

Gaining Traction

The CSF’s success can be attributed to its practical approach to managing cybersecurity risks, which has resonated with organizations seeking to enhance their asset protection strategies. Developed during a time of increasing cyber threats, the CSF provided a flexible and concise framework that organizations could adapt to their specific needs. Its reputation as a vendor-neutral and independent resource further solidified its status as a go-to tool for demonstrating compliance and due diligence in the face of potential breaches.

As organizations of all sizes began to adopt the CSF, larger CPA firms capitalized on its guidance to develop specialized practices. For example, PwC produced materials illustrating how boards could leverage the CSF to improve risk oversight. However, smaller organizations often felt overwhelmed by the framework’s breadth, prompting governmental agencies to create tools to facilitate its adoption in less complex environments.

Initially Overwhelming, But Worth the Effort

In response to a decade of technological advancements and evolving threats, NIST has released CSF2, which is designed to accommodate organizations of all sizes and types. While some users may initially perceive the updated framework as more complex, NIST has provided numerous resources to aid in its implementation. The press release announcing CSF2, along with the "Resource and Overview Guide," offers insights into the new version’s benefits and critical changes.

For small to medium-sized businesses (SMBs), the "Small Business Guide" serves as a practical resource, outlining essential steps to kick-start a cybersecurity risk management strategy. This guide distills the CSF2’s key elements into actionable items, making it accessible for organizations with limited cybersecurity plans.

Financial Executive Interests

One of the most significant enhancements in CSF2 is the introduction of a governance function, which provides senior executives with guidance on overseeing cybersecurity efforts. This new function emphasizes the importance of establishing a risk management strategy, defining roles and responsibilities, and implementing effective policies. Additionally, the framework places a greater focus on supply chain risk management, addressing the vulnerabilities that can arise from third-party vendors.

The "Quick-Start Guide for Using CSF Tiers" is another valuable resource for organizations looking to benchmark their cybersecurity governance and management outcomes. By utilizing defined tiers, organizations can engage in realistic discussions about their current status and the investments needed to enhance their cybersecurity posture.

Other Supporting Tools

For professionals in auditing and information security, CSF2 offers detailed guidance through various quick-start guides. The "Quick-Start Guide for Cybersecurity Supply Chain Management" highlights critical elements necessary for designing and operating a vendor management program. Additionally, organizational and community profiles provide insights into best practices that can be tailored to meet specific organizational needs.

A Key Reference

For CPAs involved in cybersecurity, the updated CSF will play a crucial role in shaping their service offerings. As organizations seek to mitigate litigation risks and enhance their cybersecurity defenses, CSF2 provides a foundational framework for addressing the sophisticated threats they face. By leveraging the guidance offered in CSF2, CPAs can better serve their clients and contribute to a more secure business environment.

In conclusion, the NIST Cybersecurity Framework, particularly in its latest iteration, offers invaluable resources for CPAs and financial executives. By embracing the framework’s principles and tools, organizations can navigate the complexities of cybersecurity and establish a robust defense against emerging threats.

About the Author
Joel Lanz, CPA, CISA, CISM, CISSP, CFE, is a lecturer at SUNY–Old Westbury and an adjunct professor at NYU-Stern School of Business, New York, N.Y. He provides information security advisory services through Joel Lanz, CPA, P.C., Jericho, N.Y., and is a member of The CPA Journal Editorial Advisory Board.