A journey through the NIST Cybersecurity Framework

Even in difficult times, the Cybersecurity Framework provides guidance for cyberdefence. Join us on ajourney through the framework in the company of cybersecurity experts and discover new aspects.

31 July 2025, Text Andreas Heer, Image: Swisscom           4 min

Times are challenging for cybersecurity experts and CISOs. As the Swisscom CybersecurityThreat Radar shows, companies don’t just need to guard against known threats such as ransomware. Instead, new, different forms of attack are constantly emerging and the patterns of DDoS attacks, for example, are changing.

One constant guiding force in these times is the NIST Cybersecurity Framework (CSF). It defines cyberdefence in five phases, which form a continuous cycle: 

  • Identify: identifying sensitive environments and data 
  • Protect: taking and implementing protective measures 
  • Detect: detecting attacks 
  • Respond: responding to attacks 
  • Recover: restoration of the affected environments and data
Learn about current trends in cybersecurity and relevant threats.

In version 2 of the CSF, Governance has been added as an umbrella term covering all these phases and serving as a guideline for the individual measures.

We’d like to take you on a journey through the framework, in the company of cybersecurity experts. Discover with us some of the framework’s lesser-known aspects and tasks, or – to continue with the travel theme – pick up some insider tips.

Step 1: Identifying sensitive elements

The first step is about gaining an overview: “Cyberdefence consists of a multitude of demanding challenges,” says Cyrill Peter, Head Cybersecurity Services at Swisscom B2B. “On the one hand there is the complexity, and on the other, the variety of attack techniques. And this in combination with the increasingly shorter reaction times that are required.”

If a company wants to protect itself effectively under these conditions, it needs to know what it wants to protect in the first place. The aim is therefore to identify and prioritise business-critical data, applications and processes, explains Marco Wyrsch, CSO of Swisscom: “I need to know where my critical data is stored internally, which suppliers it is stored with, and what the relevant threats are.” Or, as Andrew Campbell, Head Specialised Sales Cybersecurity at Swisscom puts it: “For companies to meet current security requirements and ensure their security posture is correct, they must take action on several levels. At the first level, they need to know their current status. This requires regular security audits and risk assessments.”

Step 2: Implementing protective measures

Once the sensitive elements have been identified, the next step is to implement suitable security measures. The second stage of the journey ensures basic protection: the foundation and bulwark against cyber attacks. And these protective measures should be considered from the outset, for example in the development of software and infrastructures, emphasises Stephanie Ramseyer, Security Solution Architect at Swisscom: “My job starts well before the actual development work. First we bring together developers, product managers and others responsible for the product, and set out where the attack surface might be.”

‘Humans play a key role in cyber resilience’

Duilio Hochstrasser, security specialist at Swisscom

Because technology alone is not enough: “Humans play a key role in cyber resilience,” says Duilio Hochstrasser, security specialist at Swisscom. “Through the behaviour of employees on a day-to-day basis on the one hand, and thanks to the security specialists, who plan and implement measures and take care of defence, on the other.”

Employees, who form the first line of defence against cyber attacks, complement the technical and organisational measures. A security culture is crucial for this, emphasises Fawsiya Cade, security consultant at Swisscom: “In view of the current global situation and the constant changes in digitalisation, the security culture is becoming much more important. Companies need to promote a security culture in which employees recognise risks, act responsibly and practise security in their everyday lives.” This cultural excursion brings us to the third stage of our trip.

Step 3: Detecting cyber attacks

Time plays a key role in this stage. This is because cyber criminals often take their time to look around the company network before striking. This “lateral movement” is used to identify relevant data and gain the widest possible access rights for data outflow and encryption. 

“These days, early detection of cyber attacks is essential for effective cyberdefence,” explains Oliver Stampfli, Head of Cyberdefence B2B at Swisscom. This is because doing so can prevent major damage. “That’s why appropriate detection systems are essential,” also emphasises Andrew Campbell.

Step 4: Tackling cyber attacks 

We’ve now reached the key stage of the journey. This is where the “crack team” of incident response experts is called for. Modern approaches to cyberdefence assume that the attacker is already inside. This “assume breach” paradigm implies that cyber attacks cannot be completely prevented. Yet the technical containment of an attack is only part of the task – getting the communication right is just as important. “We let people within the company know about incidents,” explains Marco Wyrsch. “But we also notify affected customers, suppliers and partners.” 

However, what matters is that means of communication are also available in this situation. “The incident response can also throw up some surprises,” says Alexander Odenthal, Group Information Security Officer at Swiss Life. “For example, when the usual chat environment that is also used for telephone calls no longer works. That’s why it’s important to test such scenarios beforehand.”

Step 5: Restoring operation 

Time and again, we hear reports of companies that have not yet returned to normal operations even weeks or months after a cyber attack. How well they cope with this stage also depends on their preparation. Or, as Marco Wyrsch puts it: “Test, practise and be ready.” 

Backups and, above all, the recovery of data and systems play a major role here. “It’s possible to get caught out by inadequate backup quality or lack of availability due to a cyber attack and the complexity of the restoration process,” says Alexander Odenthal.

Additional steps: Governance and risk management 

Cyberdefence cannot reach its destination without steering. That’s why governance runs through every stage in the Cybersecurity Framework 2.0. It also calls for management to be involved, says Marco Wyrsch: “Investments in cybersecurity will not be effective if management does not put up a protective shield and take responsibility.” This is true regardless of IT operating model, emphasises Pascal Lamia: “Even if IT is outsourced, cybersecurity needs to be discussed at management level. Are we doing enough for our cybersecurity? Are we protecting customer data adequately?” 

This is where risk management comes into play, in order to answer such questions – and indeed before something actually happens, as Georgia Fotaki, Information Security Governance Manager at Swisscom, emphasises: “Risk management isn’t just about reacting. It’s about anticipating what lies ahead of us, being able to adapt and to develop resilience in all areas.”

We have achieved cyber resilience and reached the end of our journey. But companies cannot rest on their laurels for long. After all, reviewing the security posture is an ongoing task in cyberdefence. This is also demonstrated by our “map”, which illustrates the Cybersecurity Framework as a cycle.

More interesting articles