Currently, we have a long list of all or the most NIST CSF controls and track to what extent we implemented the controls and what level of implementation would be desirable at the current state. The desirable grade of implementation is however just a best guess and from a personal POV. What I greatly miss in this approach is the mapping between controls to the underlying threats.
A simple example for clarification: NIST control DE.CM-1 states “The network is monitored to detect potential cybersecurity events”.
As a control, this is fine. But what I’m missing (and management as well) is the risk that we open up to when we do not implement this control. It also makes prioritization of implementation harder. What I try to do, is to create a list of common, prioritized risks (like the MITRE CAPEC) to the NIST CSF. This would look like this:
* CAPEC-94: Adversary in the Middle, Likelihood: High, Severity: Very high’ and
* CAPEC-125: Flooding, Likelihood: High, Severity: Medium
result in a combined risk of ‘high’ (probability * impact) and can be mitigated with control DE.CM-1 from NIST CSF.
I’d like to know how you do this in your organization? How do you inject cybersecurity risks into your normal, organizational risk management process?