Despite the overwhelming praise the NIST cybersecurity framework has received, only 29% of Tenable Network Security survey respondents have adopted the framework. The security company cited the lack of a regulatory mandate as one reason for the low implementation rate.
Seventy percent of survey respondents approved of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity as an industry best practice, but more than 50% of current and future adopters said the level of investment needed in order to fully conform with the framework was high.
Created as a result of collaboration between the cybersecurity industry and government, the NIST Cybersecurity Framework consists of standards, guidelines and practices to promote the protection of critical infrastructure. More organizations plan to adopt the NIST Cybersecurity Framework in the next 12 months than any other IT security framework.
The Columbia, Md.-based Tenable surveyed more than 300 independent IT sources and security professionals from organizations of all sizes across key industry verticals.
The survey revealed the following key results:
- While 84% of survey respondents reported their organization leveraged at least one security framework, 16% still do not leverage any security framework.
- The industries most reliant on security frameworks includes banking and finance, with 88% adopting at least one framework, information technology (87%), government (86%) and manufacturing (83%).
- Only 77% of education and 61% of healthcare respondents reported having a security framework in place.
- Only about 20% ranked their organizations as "very mature" in CSF adoption and more than half of CSF adopters required significant investment to conform fully.
- Ninety percent of companies with more than 10,000 employees adopted a security framework and 77% of companies with less than 1,000 employees reported significant rates of adoption.
"Historically, CISOs have been hesitant to take full advantage of the NIST Cybersecurity Framework because of a high investment requirement and a lack of regulatory mandate," Ron Gula, CEO for Tenable, said. "This is changing as organizations begin to shift their mindset from moment-in-time compliance with frameworks like PCI DSS to continuous conformance with the NIST Cybersecurity Framework."
The lack of a regulatory requirement and perceived high investment means many organizations that have already adopted the NIST Cybersecurity Framework are not implementing all of its recommendations. Sixty-four percent of respondents from organizations currently using the NIST CSF reported implementing some of the NIST recommended controls, but not all of them. Similarly, 83% of organizations that plan to adopt the NIST Cybersecurity Framework in the next year said they would adopt some but not all of the NIST Cybersecurity Framework controls.
To make it easier for companies and government organizations to adopt and benefit from the NIST Cybersecurity Framework, Tenable recently introduced its NIST CSF solution, which includes the NIST CSF dashboards.
"The NIST Cybersecurity Framework is one of the most thorough and reliable cybersecurity frameworks available, but it can be challenging for CISOs to conform to these standards all the time," Gula said. "Tenable's NIST Cybersecurity Framework solution helps automate and simplify NIST framework adoption, giving organizations the complete visibility and critical context needed to continuously conform to NIST best practices."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
