Combining the NIST Framework with the Risk Management Process

To use a combination of the NIST framework and the risk management process with your clients, schedule a ransomware readiness consultation. Then use active listening during Steps 1, 2, and 3 to uncover what keeps your client up at night.

Step 1: Identify.

Identify an organization’s greatest points of vulnerability, exposure, and most valuable assets. Include business environment, governance, and preparedness against ransomware.

During Step 1, you should identify where your clients house and store customer data and discover any related risks.

Step 2: Assess and Protect.

Conduct a cyber risk assessment that can include identifying gaps in their existing policies and reviewing their potential threat landscape. Assist the client in assessing the business’s cyber awareness and training, employee policies, and guidelines; the strength of its security infrastructure and data security; and protective technology, including end-point protection for desktops, laptops, mobile devices, and servers.

This step includes assessing insider threats such as employee work-from-home (WFH) risks, Bring Your Own Device (BYOD) risks, Mobile Device Management (MDM) policies, and Shadow IT risks (employees downloading any application or cloud service to make their jobs easier that inadvertently can lead to sensitive data exposure, e.g., Dropbox, GoogleDocs, etc.).

To check if your client’s information was sold on the dark web, ask them to go to and enter their email address(es) into the search bar. The website will search to see what data of theirs is out there and display if there were data breaches associated with their email address on various sites.

In addition, you should assess any client businesses that offer free Wi-Fi to customers, such as gyms, hotel business centers, coffee shops, and fast-food shops. This step also includes determining if the business’s third-party vendors and suppliers, such as accountants and attorneys, are protecting the privacy and security of your client’s data.

Step 3: Evaluate and Detect.

Develop strategies and a cyber risk prevention and treatment plan that includes regulatory/compliance guidance for the client. Uncover any anomalies and malicious cyber events. Assist the client in finding an effective detection process. Evaluate the client’s resources and budget needed to implement a cyber resilience and recovery plan.

This step is where you determine your client’s risk tolerance and use the risk decision matrix with them. Remember that even using this cybersecurity framework, it is impossible for any business to be completely protected from cyber threats. It is your role as the trusted advisor to assist the business owner in focusing on areas that would have the greatest impact on business continuity.

Step 4: Implement and Respond.

This should include a practical cybersecurity playbook that will work in the event of a cyberattack. It should also include plans for cyber incident response, communication, mitigation, and improvements needed in the business’s security posture.

In this step, in addition to ensuring the business has a cybersecurity incident response plan, you would help your clients mitigate their cyber risk through comprehensive cyber insurance. According to the Insurance Information Institute (iii), cyber insurance “lowers the cost to a business…by covering damages that general liability insurance may not, including legal fees, repairing digital infrastructure, resorting clients’ personal information, and recovering proprietary data.”

Step 5: Monitor and Recover.

Communicate with the client on a monthly basis to ensure the organization’s cybersecurity is continuously improving. Ensure that the recovery plan is in place and ready to be implemented in case of a cyberattack.

During this step, you must help your clients monitor their cybersecurity plan and its effectiveness on an ongoing basis. The rate of being victimized by a cyberattack is growing at an alarming rate, and new threats emerge continuously.