At the end of my previous column,1 I briefly discussed the fact that the NIST CSF 2.02 calls for “a hierarchy of executives, managers and practitioners not stated in the previous version.” This is not notable on its own. Organizations tend to develop hierarchies and those responsible for cybersecurity must fit within them somewhere.
I suspect that most information security professionals did what I did on receiving CSF 2.0. I turned immediately to the list of requirements, (or categories and sub-categories in NIST-speak) and immediately noticed that governance had become a sixth category and that there are now many more sub-categories there. It was hard to miss, being right there on the cover, as well. What I at first overlooked was the five paragraphs under the heading of “Improving Risk Management Communication” buried in the text leading up to the requirements.
Executives and the Governance of Cybersecurity
The reason I consider this section of CSF 2.0 so important is contained in one sentence: “The GOVERN Function supports organizational risk communication with executives.”3 There is no definition of who “executives” are. If it were just the CISO, that might make sense to me. But the accompanying diagram shows a group of people.4 I take that to indicate the denizens of mahogany row, the CEO, COO, CFO, and other people with a “C” in front of their titles. Are they responsible as a group, or do each of them bear specific responsibilities related to their roles?
The Govern section of CSF 2.0 contains 31 directives, up from four in the previous version. It makes someone (presumably the executives) responsible for the organizational context of cybersecurity; risk management strategy; the roles, responsibilities, and authorities involved in cybersecurity; policy; oversight; and the cybersecurity supply chain risk management (often abbreviated as SCRM).
If executives are responsible for these aspects of cybersecurity, who does the actual work? The next paragraphs in this section of CSF 2.0 say that managers “will focus on how to achieve risk targets through common services, controls, and collaboration,”5 These managers are identified as the leaders of “a line-of-business or operating division” in commercial organizations6 and “division- or branch-level” leadership in government entities. In other words, the CISO still does not make the cut.
The CISO must be relegated to the lowest level, the practitioners (i.e., most of the people reading this article, AKA us). We are supposed to “help plan, carry out, and monitor specific cybersecurity activities.”7
I consider the alignment of roles and responsibilities in this hierarchy to be both radical and aspirational. It is radical because it fundamentally shifts the burden away from the people who actually understand both the detailed nature of the threat and the current means to combat it to those who have overall organizational responsibility for managing risk.Radical and Aspirational
I consider the alignment of roles and responsibilities in this hierarchy to be both radical and aspirational. It is radical because it fundamentally shifts the burden away from the people who actually understand both the detailed nature of the threat and the current means to combat it to those who have overall organizational responsibility for managing risk. These people are also responsible for managing branding, profits, cost, credit, shareholder/citizen interests, customers, and personnel.
Undoubtedly, cybersecurity is a set of controls that senior management should be aware of and support, but this imperative must fit among all the others. The elevation of responsibility for cybersecurity to people at this level is undoubtedly intended to increase its visibility, but it may well result in it being seen as just one problem among many.
In most organizations that I am familiar with, senior managers (and their boards) are well aware of the heightened risk presented by cyberattacks, in particular by ransomware. Their response has been to appoint a CISO, supported by professional staff, who acquires and administers technical tools and services to mitigate, if not eliminate, the cyberrisk. Alas, they are mere practitioners, with two layers of management above them. The fact that there are not enough professionals to go around8 and that the tools sometimes fall short are not indicative of failure, but of the difficulty of the task. There is no perfect solution to this threat, as may be said of any other risk.
The proposed—or perhaps mandated—hierarchy is aspirational because very few organizations, to my knowledge, presently have it in place. Perhaps the authors intended to paint an idealized picture of how businesses in both the public and private sectors should organize themselves. The pressure to achieve their vision would then come from the practitioners, reinforced by auditors who would use CSF 2.0 as a yardstick to measure an organization’s accomplishment of cybersecurity. Since audit reports go to the Board, there would be pressure both from above and below to involve the executive level more fully in keeping information systems secure.
Shifting Emphasis
I want to be clear that I heartily favor executive involvement in cybersecurity. I also want the execs to be involved in business continuity, product innovation, civic engagement, and while I am at it, artificial intelligence. In each of those cases, I expect executives and Board members to be visionaries, guiding their organizations into the future. Then I want them to assign responsibility to specialists in each realm and get out of their way.
My concern is that the emphasis on the role of executives in cybersecurity may diminish the roles of CISOs and their staff. With the Big Shots doing all the strategizing and policymaking, the CISOs are left to make security actually work. There may arise a gap between those who want things to be done and those who do them. This would open the potential for cybersecurity programs that are either under-resourced to accomplish the tasks at hand or for strategies that are barely accomplishable at the time of their writing and fail to foresee the evolution of the threats.
Many information security functions have relied on the CSF as a blueprint for building their cybersecurity programs. Both the earlier and current versions of the CSF include many requirements that refer to security generally but not specifically to the intentional, malicious, targeted attacks that constitute cybersecurity.9 Thus the shift in emphasis that I point to, from practitioners to executives, is bound to affect the positioning and effectiveness of information security overall.
I just hope that this shift is in the right direction.
Endnotes
1 Ross, S.; “Information Security Matters: Raising Standards,” ISACA Journal, vol. 6, 1 November 2024; I must reiterate from that article that the CSF has become a de facto international standard, of interest to Americans and those from other countries as well.
2 National Institute of Standards and Technology (NIST), The NIST Cybersecurity Framework (CSF) 2.0, 26 February 2024; The full name is The NIST Cybersecurity Framework (CSF) 2.0 with NIST meaning the (U.S.) National Institute of Standards and Technology. Other than first references, like this one, no one ever spells out the full name.
3 NIST, CSF 2.0
4 NIST, CSF 2.0, February 26, 2024; There is a similar diagram in the previous version, NIST CSF 1.1, but it refers to the “Senior Executive Level” that more clearly identifies a focus on organizational risk, shared by executives as a group. That same diagram changes “Business/Process Level” to “Managers” and “Implementation/Operations Level” to “Practitioners.”
5 NIST, CSF 2.0
6 NIST, “The Partnership between NIST and the Private Sector: Improving Cybersecurity,” 25 July 2013; It is noticeable that a government organization is creating a framework applicable to the private sector. With regard to cybersecurity, this is not new.
7 NIST, CSF 2.0
8 Morgan, S.; “Cybersecurity Jobs Report: 3.5 Million Unfilled Positions In 2025,” Cybercrime Magazine, 14 April 2023; The most commonly quoted statistic is that there are 3.5 million unfilled information security positions worldwide. It was first stated by Cybersecurity Ventures’ editor-in-chief of Cybercrime Magazine, Steve Morgan. Since there is no explanation of how this figure was arrived at, I have doubts about its accuracy, but it is clear anecdotally that the shortfall is significant.
9 Ross, S.; “Frameworkers of the World, Unite 2”, ISACA Journal, vol. 3, 2015, I commented on this distinction in the previous version of the CSF some years ago. In re-reading it, I believe it still applies to CSF 2.0.
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.