There is a significant difference between organisations that reference the NIST Cybersecurity Framework and organisations that build their security programme around it. The former cite the framework in strategy documents and map their existing controls to the five functions on a spreadsheet. The latter use the framework as a genuine tool for assessing their current security posture, defining their target posture, and building a prioritised roadmap to close the gap.
This post explains the latter approach — what CSF 2.0 actually asks you to do with the framework, and how to use the Current Profile / Target Profile methodology to build a security programme that is genuinely strategy-driven.
The Current Profile: Where You Are
A Current Profile is an assessment of your organisation’s current cybersecurity practices mapped against the CSF’s categories and subcategories. For each subcategory, you assess whether the capability described is absent, partial, or fully implemented — and at what maturity tier. The result is a structured picture of your security programme’s current state across all six functions (including Govern in CSF 2.0) and their subcategories.
A credible Current Profile is evidence-based, not self-reported. For each subcategory, the assessment should be grounded in what can be demonstrated: documented policies, operational processes with evidence of consistent execution, test results, audit findings, and control monitoring data. A subcategory rated as implemented should have evidence that would satisfy an independent reviewer.
The Target Profile: Where You Need to Be
A Target Profile defines the desired cybersecurity outcomes for your organisation — the implementation state for each category and subcategory that reflects your risk tolerance, business requirements, and regulatory obligations. The Target Profile is not “fully implement every subcategory at the highest tier” — it is a considered judgement about the appropriate level of implementation for each area given the organisation’s specific context.
High-consequence areas — critical systems, sensitive data, regulated processes — warrant higher target maturity levels and more complete implementation. Lower-consequence areas may warrant lower targets. The Target Profile captures this differentiation systematically, providing a defensible basis for investment prioritisation.
The Gap Analysis: Building the Roadmap
The gap between Current Profile and Target Profile is the basis for your security programme roadmap. Subcategories where the current state is significantly below the target state represent the gaps that most need to be addressed. Prioritisation among these gaps should consider: the risk represented by the gap (what happens if the current state remains as is?); the effort and cost required to close the gap; and any dependencies between gaps (some capabilities must be built before others are meaningful).
A roadmap built on this analysis is grounded in the actual risk priorities of the organisation, aligned to the specific capabilities the Target Profile requires, and sequenced by the prioritisation that the gap analysis produced. It is a strategy document, not a project list.
Maintaining the Programme: Annual Profile Reviews
Current and Target Profiles should be reviewed and updated annually — and when significant changes occur in the organisation’s technology environment, business context, or threat landscape. The framework is not a static mapping exercise; it is the basis for an ongoing cycle of assessment, improvement, and reassessment that drives continuous security programme maturity.
At Bitsecura, we build NIST CSF-aligned security programmes using the Current Profile / Target Profile methodology — producing a strategy-driven roadmap that prioritises the investments with the highest risk-adjusted return for your specific context. Talk to us here if you want to use the NIST CSF properly as the strategy tool it was designed to be.
Bitsecura provides NIST CSF-aligned cybersecurity strategy and advisory services. Learn more about our NIST CSF services.