CSF Program Steps
What kind of steps would you take to illustrate how an organization could use the Cybersecurity Framework to create a new cybersecurity program or improve an existing program. What are some of the key messages and ideas that you will take away from this course? What surprised you about the class? In your opinion, what has changed? How might that move forward into your professional practice?
Course Textbook(s) Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd ed.). Wiley. https://online.vitalsource.com/#/books/9781119614562
-
• What steps illustrate how an organization could use the Cybersecurity Framework to create or improve a cybersecurity program,
-
• What are key messages and ideas taken away from this course,
-
• What surprised you about the class,
-
• What has changed in your opinion,
-
• How might that move forward into your professional practice
Comprehensive General Answer
The NIST Cybersecurity Framework (CSF) provides organizations with a structured approach to building or improving cybersecurity readiness. To create or enhance a cybersecurity program, the following practical steps can be applied:
✅ Steps to Use the Cybersecurity Framework
-
Identify Current State
-
Conduct a risk assessment and inventory systems, data, and critical infrastructure.
-
Understand business context and asset dependencies.
-
As Lewis (2020) emphasizes, understanding interdependencies in critical infrastructure is essential for national and organizational resilience.
-
-
Define Target State
-
Set security goals using CSF’s functions:
Identify, Protect, Detect, Respond, Recover -
Determine acceptable risk and compliance requirements.
-
-
Gap Analysis
-
Compare current capabilities against the desired future state.
-
Prioritize gaps that pose the most significant operational or national security risks.
-
-
Develop and Implement Action Plans
-
Allocate resources, define responsibilities, and apply layered defenses.
-
This aligns with best practices for defending networked systems against cascading failures (Lewis, 2020).
-
-
Monitor, Measure, and Improve
-
Continuously assess controls and update based on evolving threats.
-
Conduct incident response exercises and recovery planning validation.
-
These steps allow organizations to mature their cybersecurity posture in a structured and repeatable way.
🌟 Key Messages & Ideas from the Course
-
Critical infrastructure is deeply interconnected, meaning a failure in one system can trigger multidomain consequences (Lewis, 2020).
-
Cybersecurity requires both technical and strategic decision-making, not just firewalls and encryption.
-
Public-private collaboration is essential to defend a networked nation.
-
Threats evolve rapidly—security programs must be adaptive and ongoing.
😮 What Surprised Me
-
The extent to which non-technical elements (policy, human behavior, economic incentives) influence cybersecurity success.
-
How a single weak link in infrastructure can impact national security, not just a single business.
-
The massive role of homeland security agencies in supporting private-sector defense.
🔄 What Has Changed
-
I now view cybersecurity not only as an IT function but as strategic risk management.
-
My perspective shifted from reactive approaches to proactive resilience.
-
I recognize cybersecurity as a shared responsibility across sectors and personnel levels.
🚀 Impact on Professional Practice
Going forward, I will:
✔ Promote adoption of structured frameworks like NIST CSF
✔ Emphasize risk-based prioritization instead of checklist compliance
✔ Advocate for layered defenses and incident readiness
✔ Encourage organizational culture that treats cybersecurity as mission-critical
This course has reinforced the importance of cybersecurity in protecting national assets and sustaining operational resilience.
