9 Burning Questions about Implementing NIST Cybersecurity Framework Using COBIT 5

The most valuable asset any entity possesses is information. Technology plays a key role in the management and protection of information from the time it is created up to the moment it is destroyed. We interviewed Gary Hardy- one of the originators of the COBIT framework – about his course Implementing NIST Cybersecurity Framework Using COBIT 5.

garyhardyWhat makes COBIT 5 a better fit for information security than its predecessor COBIT 4?

COBIT 5 recognizes that IT (and information security) is a pervasive enabler affecting the whole enterprise and not a technical topic just for the IT Department or IT service provider. Information security is an enterprise issue affecting all staff at all levels from top management downwards. Executive management are accountable for information security decisions and investments – the buck cannot just be passed to security experts.

What does Implementation of the NIST Cybersecurity Framework Using COBIT 5 entail?

Using COBIT 5 ensures that implementation of the NIST framework will be driven by management and treated as an investment, supported by a business case, with transparent monitoring of the benefits (ROI). Ultimately management must take ownership and engage with service providers and experts. COBIT5 enables a dialogue between management and security experts based on easy to understand security management practices.

What are its underlying principles?

The key guiding principles of this approach are to:

  • make sure stakeholders understand the context of cybersecurity – ‘de-mystify’
  • understand the risks as well as the potential benefits of adopting good practices so there is management buy-in, support, and sustainable solutions
  • consider cybersecurity as a part of broader information security as a whole by taking a systematic approach, not a piecemeal ‘plugging of holes’.
  • Initiate a continual improvement approach so that cybersecurity is regularly improved and addressed.
  • implement security improvements that are guided by the NIST Framework that matches the profile of the enterprise that will minimise security incidents and also enable recovery from any incidents that might occur.

What were the major drivers for the development of this course?

  • increased awareness and concerns about cyber related threats
  • concern by governments that cyber threats could damage critical infrastructure
  • need for enterprises to understand the nature of cyber threats
  • need for guidance on how to address cyber security on a continual basis due to ever changing technologies and threats.

What are the information security-related capabilities that an enterprise can achieve by leveraging the Implementation of the NIST Cybersecurity Framework Using COBIT 5?

COBIT 5 takes an holistic view of the governance and management of IT. This means all capabilities for example, the culture and behavior of people, necessary skills, decision making structures, reliable procedures as well as technical counter measures.

How does it complement other established industry frameworks, standards, and methodologies?

The course includes consideration of a security management system approach based on ISO/IEC 27000 and COBIT 5 provides an alignment at a high level with all existing standards and best practices.

Would you say that this course provides the most up-to-date view on information security governance? Please explain why.


  • the NIST Framework is the world’s most advanced and up-to-date thinking on how to combat cyber threats
  • COBIT 5 is the most complete and current framework for enterprise-wide (end to end) governance and management of IT that drives executive management and business engagement in IT-related decisions and oversight.
  • the course also aligns with the latest ISO/IEC security management standards

How does COBIT 5 deal with the grey area between governance and management? How does that consequently contribute to a more solid security strategy?

COBIT 5 helps distinguish between the role of the board and top management in directing and monitoring IT-related strategic objectives, setting priorities and making key decisions. Management’s role is to plan and execute the objectives. This is how all enterprise’s normally run their businesses. In this way security is addressed as business objective, not just a low level technical topic.

Explain to us what ‘Holistic Guidance’ means and how it differs from what other frameworks/standards/methodologies claim to be an end-to-end information security coverage of an enterprise.

COBIT has always been a framework and guidance that takes a complete view of how IT-related activities should be effectively undertaken. COBIT 5 has made this clearer by emphasising all the necessary enablers. Real world experience has shown that the attitude and mind-set of people at all levels is the biggest challenge when dealing with IT-related challenges, especially complex and difficult to understand issues like cyber security. Technical measures on their own are never enough.

We would like to thank Gary Hardy for taking time to answer our questions. The aim was to give our readers more insight into how the NIST Cybersecurity Framework can be implemented using COBIT 5.

Learn more about  Implementing the NIST Cybersecurity Framework Using COBIT5.

Alwi Suleiman
Alwi Suleiman is a Product Marketing and Solutions Manager at ITpreneurs. He is also the Editor-in-chief of the blog and heads the content marketing and social media activities. His marketing philosophy is: “Marketing is about help and not hype”.