Identify, protect, detect, respond, and recover: these words will be familiar to everyone who has attended a cyber-security-related update presentation at their organization, discussed cybersecurity with a client, participated in a cyber-risk assessment, obtained cyber-related continuing education courses, or read cyber-related vendor and consultant proposals during the past few years. The five words represent the five functions that comprised the first version of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) issued in 2014. Although initially intended for critical infrastructure, most industries and organizations of all sizes rely on the highly regarded reputation of the NIST and the CSF to establish a baseline of prudent cybersecurity practices. The NIST recently released an updated version of the framework to reflect the evolving role and importance of technology infrastructure on organizational objectives (CSF2). Significant changes to the framework that will be of interest to the accounting profession include adding a function focused on governance with a dedicated section on supply chain cybersecurity.
