A Cybersecurity Framework for Protecting What Matters

The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever harder to keep things safe. Organizations are navigating a wide variety of challenges and an equally wide variety of innovative solutions in working to address threats and be proactive in their online safety and security. Implementing a cybersecurity framework can help with that process.
See 5 Key Cybersecurity Elements with Kelly Hood for a complete transcript of the Easy Prey podcast episode.
Kelly Hood is a cybersecurity engineer with Optic Cyber Solutions. She works with companies to help them protect themselves, and also works with her team to protect Optic Cyber Solutions itself. She and her team specialize in implementing cybersecurity and privacy best practices, strengthening cybersecurity postures, and effectively managing risk. It’s a massive and always-changing undertaking, which always keeps things interesting.
Phishing is Getting Good
Phishing emails are getting good at making things look real. We have to be aware of this problem so we can spot it. Kelly has almost been a victim many times, but she was lucky enough to know and look closer.
Not too long ago, she got an email that looked like it was from her mother telling her about a new job opening just down the street from where she worked. On the surface, it looked legitimate. It seemed to be from her mother, and the spelling and grammar were all accurate.
But Kelly lives and works in Maryland, and she knew her mother wanted her to come back to Oklahoma. Her mother wouldn’t send her another job in Maryland. So she looked closer at the email. When she really looked, the email address was close to but not exactly her mother’s. It was very impressive – it had her name, an email address that looked the same at first glance, and knew what field she worked in and where she worked. The phisher really put in some work to craft a legitimate-looking email, and it would have been easy to click.
Spear phishing used to just be for Fortune 500 CEOs or well-known crypto enthusiasts – people who were targeted for specific reasons. Now those same techniques are applied much more broadly. And a lot of information is available in places like Facebook or LinkedIn. It’s very easy to craft a personalized, realistic message.
At first, you [think] ‘Wow, they really did their research,’ and then you realize, no, that’s all public information. It’s all out there.
Kelly Hood
The NIST Cybersecurity Framework
One of the tools that Kelly uses a lot in her work is the NIST Cybersecurity Framework. This is a voluntary structure that defines what cybersecurity actually means and what it looks like for a company to be secure. It was originally developed in 2014, and in February 2024, it was updated. Now it’s upgraded to version 2.0. And that’s a big deal, because the update added a new function.
The cybersecurity framework includes different “functions” to help define what a cybersecurity program should look like and what it should include. Using a framework can help a company organize what they have, apply standards, and improve their security. According to the initial version, a good cybersecurity program should include functions to Identify, Protect, Detect, Respond, and Recover. The update added a sixth function: Govern.
Govern
The govern function of this cybersecurity framework where you want to start. It’s a higher-level overview that helps you figure out where you’re at, what matters to you, and where you’re going. The goal is to make sure you’re applying protections in a way that makes sense for your business.

The big change is putting an emphasis on pausing. Instead of jumping into applying security solutions, figure out what exactly you’re trying to do, get the right stakeholders involved, and get guidance in place. That includes things like policies, oversight, roles and responsibilities, and oversight. This way, leaders can see where they fit in the security plan.
Govern was a category in the cybersecurity framework previously, but turning it into a core function highlights a need. Cybersecurity isn’t just in the server room, it’s now in the board room, too. Nobody operates in a vacuum. If you’re doing work online or connected to the internet, it comes with risks. Every company has to acknowledge those, handle appropriately, and get support from senior stakeholders. Having the Govern function in place helps with that.
It’s important to make sure that everybody understands the risk that being in our connected world today brings.
Kelly Hood
Identify
After you have your Govern function set up, the next step is Identify. This function focuses on knowing what you have and what you’re protecting it from. Asset management is a big aspect. You have to understand the assets, both physical and virtual, data, and people involved in your program and what risks they have. Identify is all about knowing what you have so you can protect it all appropriately.
Protect
The Protect function of the cybersecurity framework is what many people think of when they think of cybersecurity. This includes the actual steps you take and safety guards you put in place to protect the assets you identified during the Identify function. Identity management, authentication, training, data security, platform security, a lot of the more technical elements of cybersecurity fit in this function of the framework.
Detect
Detect is the proactive function of the cybersecurity framework. It’s about looking around at what’s happening in your company and in your network and noticing problems. Continuous monitoring, analysis of what’s going on, investigation of things that look weird in a network or physically at a facility all fall under Detect. The goal is to look at what you’ve protected and spot anything suspicious so you can respond.
Respond
No company wants an incident to become tomorrow’s headline. The Respond function is the part of the cybersecurity framework that helps you keep that from happening. Respond is not about preventing attacks (that’s what Protect is for), but dealing with them when they happen. If you have a plan and steps in place, you can stop an incident from getting really bad.
We know that things are going to happen. There are bad actors out there. I want to make sure we can respond quickly.
Kelly Hood
Recover
The final step in the cybersecurity framework is Recover. A lot of people wonder why Respond and Recover is different. Kelly likes to use medical care as an illustration. Response is like a hospital emergency room – you’re stopping the bleeding and getting the problem under control. But after you’re no longer actively bleeding out, you may need some ongoing care or physical therapy to get back to where you were. Recover is that physical therapy element. After you’ve dealt with the issue itself, you have to prioritize what to do, know what needs to happen, and contact the people who need to know. And it’s very, very hard to prioritize in the moment. Having the Recover part of the framework in place means that when there is an incident, you know exactly what makes sense for your business in terms of getting back to functionality.
The Challenges in Implementing a Cybersecurity Framework
There are some common pitfalls people fall into when trying to implement a cybersecurity framework in their business. Every function of the framework has its own challenges and pitfalls. But these are a few that Kelly sees more frequently.
Asset is a Broader Category Than You Think
When people think of asset management, they think of things like systems, hardware, and physical options. They often forget data, virtual environments, and people. It feels a little strange to think of people as assets. But when you think about resources, you need to fully understand who and what your business has and what access they have as part of protecting your systems.

People also tend to get overwhelmed in cataloging every single thing that needs protected. But you have to realize that you’re not going to get it all done today. Unless you’re a really small company, you’re probably not going to get it done even in a week. It’s good to talk to different people in different areas, see what they think they have, and reconcile that with other groups. Don’t let the perfect be the enemy of the good. You just need to start somewhere. Write things down and start that list.
We need to start somewhere … understanding what systems we have, what data we have.
Kelly Hood
A cybersecurity framework provides structure. It doesn’t say exactly what you need to do or how, but gives you outcomes. So you don’t have to get started any particular way. Data logged on a spreadsheet is perfectly fine. You may later decide that’s not sufficient, but it’s a start.
Don’t Forget Your Data
Data is a broad category, but it’s the biggest one Kelly sees companies forget about when it comes to the Protect function of the cybersecurity framework. There are some requirements about certain types of data, such as personally identifiable information and health-related information. This can be even more of a challenge because so many companies don’t know where their data actually is. Many times Kelly has sat down with a company to ask what data they have, and what they thought would be a ten-minute conversation turns into a week-long exercise.
Many times, Kelly will have companies tell her their data is on SharePoint. But what type of data is it? Where is it on SharePoint? Is it also stored on a local desktop? Has someone downloaded it or uploaded it to Dropbox? Being able to categorize all the data and know where it is can be a challenge. Sometimes employees will send things to their personal emails so they can work from home, and that takes the data even farther away from where you can Identify and Protect it. The things we do to make our lives easier can also make it much, much harder to track down and protect a company’s sensitive data.
There are all these things that we do to make our lives easier … but also can make things easier for a malicious actor.
Kelly Hood
Respond Includes Communication
In the Respond function of the cybersecurity framework, many people overlook the communication aspect. It’s great to recognize that you’re bleeding and take steps to stop the bleeding. But you also have to let people know that you’re bleeding, whether it’s because they can help or because it will affect that they do.
Having a plan for this is critical. There’s a fine line for how much detail you want to provide. You don’t want to get in trouble for being too secretive, but you don’t want to share too much and make customers panic or let criminals know there’s a vulnerability. All you need to be able to share is that something happened, how you’re handling it, and when who you’re talking to can expect an update. Having a plan is critical. If you haven’t plugged the hole yet, you don’t want to publicize the hole.
Get legal involved in these conversations, and also the senior leadership. What is the line between “deal with it and tell leadership in the morning” and “wake leadership up in the middle of the night about it”? At what point do you talk to your customers? The public? Set thresholds so you don’t have to make decisions in the moment.
Make a Plan that Makes Sense
People often think about the Recover function of the cybersecurity framework as getting back to 100% business functionality. But how you prioritize that depends on your business, what you do, and what your critical functions are. Think through scenarios and come up with a plan that makes sense for your business.
For example, Kelly once worked with a client who determined that getting the back-end server that processed transactions up and running was a lower priority than getting their website up. They realized that if the website was up but transactions weren’t going through, customers would assume they were having issues with their internet or browser. But if the website was down, people would be calling the helpline, which would slow down recovery even more. So in their situation, it actually made sense to prioritize the website over the server to cut down on calls and free up more time to work on the problem.
It can sometimes take a while for recovery to get to 100%. The goal is to get back to functional, whatever functional looks like for your business, as fast as possible. Prioritize what you need in order to operate at a basic level, and build back up from there.
Why Governance Matters
Govern was previously in the cybersecurity framework, but as a category instead of a core function. Because of that, people often overlooked it or assumed they already knew what they were doing so they didn’t need to go into more detail. A lot of feedback on framework said that it needed more detail.
The NIST Cybersecurity Framework added Govern as a function to help businesses translate a general understanding of what they want into something practical and workable that they can implement. It helps a company determine their priorities, which will help moving forward through the other functions.
No one works in a vacuum. Everyone has suppliers, systems have dependencies on each other. Using a cybersecurity framework is about managing in a way that you can be resilient and still function. The Govern function is a way to step back and think through challenges before an incident happens.
Learn more about the NIST Cybersecurity Framework at nist.gov. That site has both the document itself and a ton of great resources. Visit Optic Cyber Solutions at opticcyber.com for additional resources for getting started with the framework, including a free Maturing and Progress Tracker tool. You can also connect with Optic Cyber Solutions on YouTube or LinkedIn, or connect with Kelly Hood on LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
- Uncategorized
CISO Challenges in a Changing Security Landscape
The role of a Chief Information Security Officer (CISO) is constantly changing. The shifts in technology and…
[Read More]Business Automation is Great – But Some Things Should Be Left to Humans
As we see an increase in cyberattacks, it’s more important than ever for companies to be able…
[Read More]How to Spot Fake Emails and Avoid Danger
The good news is that you don’t have to become a cybersecurity pro to protect yourself from...
[Read More]Education and Communication are Key to Business Cybersecurity
The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…
[Read More]Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?
Money-lender Dave does the one thing that all scammers do: It lied to its target through its...
[Read More]