Skip to main content
All Posts By

Thomas Whang

5 Key Updates in NIST Framework 2.0 to Know About

5 Key Updates in NIST Framework 2.0 to Know About

By Executive, Impelix, Impelix IMPACT Platform, Practitioner, Thoughts

The National Institute of Standards and Technology (NIST) recently unveiled the second iteration of its cybersecurity framework, commonly referred to as NIST Framework 2.0. This updated version introduces significant enhancements and changes that reflect the evolving landscape of cybersecurity threats and the need for more adaptive and robust security measures. The original framework, established to provide organizations with a comprehensive set of guidelines for managing cybersecurity risk, has been widely adopted across various sectors. However, as cyber threats have grown in complexity and frequency, the need for an updated framework became evident. This blog will explore the key updates in NIST Framework 2.0 and highlight the major differences from its predecessor.

1. Enhanced Emphasis on Privacy and Supply Chain Risk Management

One of the most notable updates in NIST Framework 2.0 is the increased emphasis on privacy and supply chain risk management. The original framework touched on these areas, but the latest version provides more detailed guidance, acknowledging the interconnected nature of today’s digital ecosystems. Organizations are encouraged to adopt a more holistic approach to cybersecurity, considering not only their internal processes but also how they interact with partners, suppliers, and third-party service providers.

2. Introduction of New Categories and Subcategories

NIST Framework 2.0 introduces new categories and subcategories that address emerging technologies and threat vectors. For instance, there is now more explicit guidance on cloud security, mobile device management, and the Internet of Things (IoT). These additions are designed to help organizations navigate the security challenges associated with these technologies, which were not as prevalent or critical when the original framework was developed.

3. Focus on Cybersecurity Resilience

Another significant shift in NIST Framework 2.0 is the increased focus on cybersecurity resilience. While the original framework emphasized identifying, protecting, detecting, responding, and recovering from cybersecurity incidents, the new version goes further by stressing the importance of resilience throughout these stages. This means not only reacting to cyber threats but also ensuring that operations can continue during and after an attack. The updated framework encourages organizations to develop and maintain systems that are not only secure but also resilient to disruptions.

4. Improved Accessibility and Flexibility

Recognizing the wide range of organizations that use the framework, from small businesses to large enterprises and government agencies, NIST Framework 2.0 is designed to be more accessible and flexible. The language has been simplified where possible to make the guidelines more approachable for non-experts. Additionally, the framework offers more examples and templates to assist organizations in implementing the recommended security measures. This inclusivity ensures that organizations of all sizes and sectors can effectively apply the framework to improve their cybersecurity posture.

5. Strengthened Alignment with Other Standards and Frameworks

NIST Framework 2.0 aims for better alignment with other international standards and cybersecurity frameworks, such as ISO/IEC 27001 and the CIS Controls. This harmonization is beneficial for organizations that adhere to multiple standards, as it simplifies compliance efforts and strengthens overall cybersecurity practices. By ensuring compatibility with other widely recognized frameworks, NIST makes it easier for organizations to adopt a comprehensive and cohesive approach to managing cybersecurity risk.

In Summary

Comparing NIST Framework 2.0 to its predecessor, the most significant differences lie in its broader scope, which now includes detailed guidance on privacy and supply chain risks, and its adaptability to emerging technologies. The emphasis on resilience and the efforts to make the framework more accessible and aligned with other standards demonstrate a forward-thinking approach to cybersecurity. The release of NIST Framework 2.0 marks a significant milestone in the evolution of cybersecurity standards. By addressing current challenges and providing clear, actionable guidance, the framework is a vital resource for organizations aiming to bolster their cybersecurity measures. As cyber threats continue to evolve, staying abreast of updates like NIST Framework 2.0 is crucial for organizations committed to safeguarding their operations and assets against cyber risks.

How Impelix IMPACT Can Help With Compliance

With the modifications to the NIST Framework, you may be wondering how they impact your cybersecurity maturity. The IMPACT platform from Impelix approaches compliance through a data-driven strategy. By integrating all the technologies in your stack and collecting telemetry, IMPACT can provide a real-time snapshot of your compliance progress with no effort. You will be able to check against common frameworks such as NIST CSF, ISO 27001, CIS CSC, and NIST 2.0, which will be introduced to the platform shortly. This allows you to assess your organization’s preparedness against a cybersecurity framework in a cost-effective manner.

Is Third-Party Risk That Bad?

Is Third-Party Risk That Bad?

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Thoughts

As a CTO with 25 years of cybersecurity experience, I am never at ease with the state of cybersecurity. It’s not because we’re not doing our jobs, it’s just that our modern-day businesses operate as part of a larger business ecosystem and I am concerned about the additional risks operating like this brings to an organization. Specifically, I am talking about third-party risk.

It is a hidden weakness that may undermine even the most formidable organizations, much like Superman’s kryptonite. Financial losses, operational disruptions, and reputational damage can occur as a result of a vendor, supplier, or contractor’s single slip-up, leaving you feeling helpless.

Why is third-party risk so potent? It’s simple:

  • Increased Reliance on External Partners: We outsource more than ever before, from IT infrastructure to marketing campaigns. This expands our attack surface, making us vulnerable to the weaknesses of others. It’s the weakest link principle, you are “only as strong as its weakest link.”
  • Lack of Transparency: When it comes to the security and operations of third parties, we don’t always have complete control.
  • Complex Ecosystem: The web of third-party relationships can be intricate and ever-changing, making it difficult to track and manage risk effectively

I am not trying to instill fear in you, but the potential fallout is no joke:

Data Breaches

A third-party’s immature security posture could expose your sensitive data, leading to lawsuits, fines, and eroded trust.


Click infographic to enlarge

Operational Disruptions

A critical vendor outage can cripple your entire business, costing you revenue and damaging customer relationships.

Production at some of Stellantis’ North American assembly plants were offline for approximately 3 days.

Source: BleepingComputer

Damage to Reputation

Hearing of your outside party’s cybersecurity incident can swiftly tarnish your brand, making it hard to entice consumers and investors.

The public disclosure of the hack that affected more than 18,000 companies and many government bodies caused SolarWinds’ stock price to plummet.

Source: SolarWinds

So, what can we do to avoid the kryptonite kiss of death? Here’s my playbook:

  • Proactive Due Diligence: Thoroughly examine potential risks before onboarding any third party as part of proactive due diligence. Look at their security measures, regulatory compliance, and financial soundness. Do not merely mark the box; delve deeply.
  • Contractual Safeguards: Craft watertight contracts that clearly define risk ownership, incident response protocols, and termination clauses. Make sure you’re not left holding the kryptonite bag.
  • Always Be Watching: Never Leave It Alone. Keep a close eye on how well your third parties are doing and how secure they are. To remain one step ahead of possible dangers, make use of technological and intelligence-based solutions.
  • Open Communication: Foster open communication channels with your third parties. Encourage them to share security updates, incident reports, and any concerns they may have. Remember, we’re all in this kryptonite fight together.
  • Build a Culture of Awareness: Educate your employees about third-party risk and how their actions can impact it. Encourage them to report suspicious activity and be vigilant about phishing attacks and social engineering scams.

If you follow these steps, you can make third-party risk work for you instead of against you. Your operational efficiency, competitive edge, and organization’s resilience can all be improved with a well-managed ecosystem of third parties.

Remember, in the game of risk management, Superman might be able to fly, but a proactive approach is the real magic bullet. So, go forth, brave risk managers, and conquer the kryptonite!

Just a friendly reminder to include kryptonite-resistant underwear in your budget... I mean, cyber insurance. Being cautious is preferable than being unprepared.

1. Ponemon Institute and Shared Assessments survey - Third-Party Risk Management Benchmarking Study 2019
2. Predictions 2022: Cybersecurity, Risk and Privacy, Forrester Research, Inc., Oct. 28, 2021

Eight Steps to Implement an Enterprise Risk Management Framework

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Thoughts

In the fast-paced and dynamic world of business that we are in, having a robust enterprise risk management (ERM) framework is crucial for organizations to survive. With the constant evolution of the modern business landscape, it has become increasingly vital for companies to navigate potential risks effectively. By implementing a comprehensive ERM framework, businesses can proactively anticipate and address potential threats, ensuring their long‑term success.

What is ERM?

Enterprise Risk Management (ERM) is a crucial process that plays a significant role in the success of organizations. It serves as a comprehensive framework that enables businesses to identify, assess, and effectively manage various types of risks. These risks encompass a wide range, including financial risks, operational risks, and even reputational risks. By implementing ERM, organizations gain a holistic understanding of the potential risks they may face. This understanding allows them to develop proactive strategies to mitigate these risks and ensure the smooth functioning of their operations. ERM acts as a guiding light, illuminating the path towards a more secure and resilient future for businesses. Financial risks, such as market volatility or economic uncertainties, can pose significant challenges to organizations. ERM equips businesses with the tools and methodologies to assess and manage these risks effectively. By doing so, organizations can safeguard their financial stability and make informed decisions that align with their long-term objectives. Operational risks, on the other hand, encompass a wide range of potential disruptions to business processes.

In essence, ERM serves as a protective shield, safeguarding companies from the uncertainties and challenges that arise in today’s complex business environment. It enables organizations to assess risks holistically, considering both internal and external factors that may pose a threat to their operations. Moreover, an effective ERM framework fosters a culture of risk awareness and accountability within an organization. By encouraging employees at all levels to actively participate in risk management efforts, companies can harness the collective intelligence and expertise of their workforce. This collaborative approach enhances the organization’s ability to identify and respond.

How Can an Organization Implement ERM?

While there is no universally recognized or defined ERM framework, there is a well-established methodology that can improve any company’s chances of successfully implementing ERM. Here is one way on how an organization can implement an effective enterprise risk management (ERM) framework:

Step 1: Leadership Commitment and Alignment

The journey starts when the leaders of the company are committed and on the same page. The top leaders need to not only agree with the idea, but also work to make it happen. It is very important to show that your culture values strategic choices that take risks into account.

Step 2: Create a Risk Appetite

Every organization has a risk tolerance level that it is willing to accept. It is critical to explicitly define and express this risk appetite. It serves as a guiding beacon, assisting in navigating the turbulent seas of risks and possibilities.

Step 3: Create a Strong Policy Framework

Developing a solid policy framework is analogous to preparing the foundations of a sturdy building. This process entails creating policies that explain the risk management philosophy, objectives, and tactics of the organization. This framework should be comprehensive, addressing all potential risk aspects, such as financial, operational, reputational, and strategic risks.

Step 4: Identifying and Assessing Risks

With a robust policy framework in place, it’s time to explore the enormous terrain of potential dangers. This step entails identifying and assessing potential hazards that may affect the organization. Various tools, including as SWOT analysis, PESTLE analysis, and risk heat maps, can be used.

Step 5: Putting Risk Response Plans into Action

Once the risks have been found and evaluated, the organization needs to develop and execute risk response strategies. Some of these tactics could be to completely avoid the risk, while others could be to accept the risk and share it with other stakeholders. The plan should be based on a careful analysis of how each identified risk could happen and how likely it is to happen.

Step 6: Monitor and Report

Transparency and open dialogue are vital for an ERM framework to work effectively. It is important to set up a mechanism for all stakeholders, including employees, board members, and investors, to get regular updates on risk management activities. This makes sure that everyone in the company is aware of the risks.

Step 7: Training and Development

Organizations should invest in training and development programs to equip their teams with the necessary skills and knowledge to manage risks effectively. It fosters a culture where every individual becomes a risk manager in their own capacity.

Step 8: Monitoring and Review

The final step in the journey is the constant monitoring and review of the ERM framework. This is a continuous process that helps in fine-tuning the risk management strategies and making necessary adjustments as the external and internal environments evolve.

Closing Thoughts

Implementing a successful ERM framework is an ongoing journey, not a one-time effort. It is a voyage full of discoveries, changes, and enhancements. By following these steps, organizations may confidently and agilely traverse the complicated world of risks, transforming potential threats into opportunities for growth and innovation.

So, set out on this trip with enthusiasm and energy, and direct your business toward a future that is not only secure but also replete with opportunity. Until next time, safe risk‑taking!

Want to Ward Off Ransomware Attackers? Take Away Their Key

By Thoughts No Comments
Recently, I had the opportunity to present to a group of 25+ IT leaders representing manufacturing and distribution companies of various business sectors, some of them global, about cybersecurity. They were interested in hearing the latest about ransomware attacks at JBS and Colonial Pipeline, which continue to generate headlines because of the havoc they caused, and the huge ransoms demanded by bad actors that were paid (at least in part) by these companies. Read More

“Where There’s a Will, There’s a Way” — A Cyber Security Tale

By Thoughts No Comments
Throughout the history of mankind, ingenuity and determination have played outsized roles in the advancement of civilization. Were it not for the tenacity and dedication of Nikola Tesla, for example, we would not be enjoying the convenience of alternating current (AC) electricity. Alexander Hamilton, a penniless orphan born out of wedlock, came to the United States from the Caribbean as a young man and went on to become one of our Founding Fathers who created the central banking system and U.S. Coast Guard. Read More

The Year of Passwordless

By Thoughts No Comments
Last year was like no other. A once-in-a-generation pandemic completely upended our normal way of life and doing business, and it only now feels like we can we begin to look back on 2020 with a collective sigh of relief. Still, there’s a lot we can learn from last year (the ways in which technology propped us up during the pandemic and let us down, for example) that can influence and inform what we resolve to do differently in 2021. Read More