CYE Insights

Why the New NIST CSF 2.0 Transforms Cyber Risk Management

August 14, 2023

Why the New NIST CSF 2.0 Transforms Cyber Risk Management

The recent release of the NIST Cybersecurity Framework (CSF) 2.0 draft is certainly great news, and a significant step forward. Over the years, cybersecurity experts have recognized NIST as a valuable framework.

According to NIST, the new Cybersecurity Framework 2.0 provides guidance for reducing cybersecurity risks by helping organizations understand, assess, prioritize, and communicate about those risks and the actions that will reduce them. In many ways, however, it also represents a transformative approach to cyber risk management, introducing a more holistic perspective. Here’s how:

Creation of the Govern Function

The unveiling of the Govern function within NIST’s Cybersecurity Framework serves as a clear, central message from NIST. Govern joins the well-known wheel of Identify, Protect, Detect, Respond, and Recover; however, it appears in the center because it informs how an organization implements the other five functions. The Govern function underscores the need for ongoing cyber risk management at the organizational management level. Within this domain, the Risk Management Strategy category includes several new subcategories (GV.RM 04-08), which are at the heart of NIST 2.0.

NIST 2.0

Involvement of Senior Management

NIST 2.0 squarely targets senior management in organizations. It emphasizes the urgency of addressing cyber risk management seriously and consistently. NIST 2.0 directs organizational management to seamlessly integrate cyber risk management as an integral facet of overall risk management activities.

Additionally, decision-makers must understand the significance of cyber risk. This is underscored by the pivotal addition of a new subcategory, “GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood,” within the “Organizational Context” category.

Similarly, a new subcategory within the “Roles, Responsibilities, and Authorities” category (GV.RR) explicitly clarifies the responsible parties for cyber risk. For instance, “GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continuously improving.”

Focus on Cyber Risk Quantification

Another critical aspect that NIST 2.0 addresses is the imperative of cyber risk quantification, detailed in the “Risk Management Strategy” category. It articulates the requirement for standardized methods to calculate, document, categorize, and prioritize cybersecurity risks. This directive illustrates the need for systematic evaluation of cyber risk based on the impact to organizational objectives.

Effective Cyber Crisis Management

Finally, NIST 2.0 emphasizes the vital necessity of effective cyber crisis management. This responsibility extends beyond the purview of CISOs or even their managers (usually CIOs). Instead, it mandates management-level involvement in managing cyber crises, as highlighted in the “Risk Management Strategy” category and the subcategory “GV.RM-04: Strategic direction that describes appropriate risk response options are established and communicated.”

How CYE Aligns with NIST 2.0

NIST 2.0’s overarching aim is to actively shape organizational management’s approach towards addressing cyber risks as an integral component of their core endeavors. This is also a key approach of CYE, which focuses on improving organizational cybersecurity maturity, optimized cyber risk quantification, and comprehensive cyber crisis management readiness.

Moreover, working with Hyver helps companies comply with the new Govern function by establishing a standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks. In closely aligning with NIST 2.0, CYE ensures that cyber risks are recognized, managed, and mitigated across all tiers of organizational leadership.

Want to learn more about how CYE can help you align to the NIST cybersecurity framework? Contact us


Shmulik Yehezkel

By Shmulik Yehezkel

Shmulik is CYE's CISO and Chief of Critical Cyber Operations. His 25+ years of experience includes leading cyber operations, R&D, information security, and risk management in the Israel defense Forces, the Ministry of Defense, and the Office of the Prime Minister of Israel.