How to Implement an it risk program using the nist csf

Building an IT Risk Program? Need Help?

Fill out the form to download your FREE RESOURCES from Bobby Dominguez on Applying the NIST CSF to Build Your Risk Program

 Schedule a Free "Listening Session"Consultation with Bobby Dominguez, CSSO to discuss your Risk Management Program. 


Need help assessing or building your Risk Framework?

Check the box to schedule your free "Listening Session" with our certified Cybersecurity and Risk Experts. 

3 key takeaways:

  • Risk is the context in which you apply your security program. It is the language that business will understand. The foundation of a risk program is based on the controls, which in turn are influenced by regulatory and statutory mandates.
  • Be careful with absolutes, as risk is about gray areas – probability x impact. Probability by it’s nature is often qualitative; Impact can be quantitative, but at some point, you’ll always have to make a best guess backed by the facts at hand. So don’t be sure to use both methods to communicate risk. But no matter how you calculate risk, keep it simple
  • The CSF is just a framework – think of a house and the framework that guides the structure of the house, but not the make up of the house. The walls can be stone, brick, wood, or compound materials – the walls and other elements can be customized to your needs, but the framework just provides the outline of where you’ll put walls, doors, windows, roof, etc.