You’re thinking about the NIST CSF all wrong. You’re in it, just not where you think.

You work on the human aspect of cybersecurity? Good. Let’s talk about frameworks.
Not sexy. But essential.

And not any ol’ framework. NIST CSF no less.

The NIST Cybersecurity Framework (CSF) is one of the most widely used frameworks for managing cyber risk. Developed by the U.S. National Institute of Standards and Technology, it gives organizations a structured way to understand, assess, and improve their cybersecurity posture.

At the heart of the framework are six core functions:

Govern
Identify
Protect
Detect
Respond, and
Recover.

These cover the full lifecycle of cybersecurity risk and resilience, from setting strategy to bouncing back after an incident.

Think this is just for big tech teams or critical infrastructure? Think again. The CSF is designed to be flexible and scalable. If you're working in the human side of cybersecurity and want a seat at the table, you need to know where and how you fit into it.

To do this, you need to speak the language of the NIST Cybersecurity Framework (CSF).

Why? Because it's how CISOs, auditors, and regulators define what "good" looks like. It's how strategy gets built. It's how investments get justified. And it's how you prove you matter.

The problem is, most people (including your boss – awkward) still treat the human side of cybersecurity as something that only fits into one part of the framework: Protect. That view is outdated. It’s holding the whole industry back. And it’s strangling the value HRM could be bringing to your company’s resilience efforts.

A smarter approach to human risk adds value across all six CSF functions. Here's how.

Govern: Make human risk measurable and accountable

Governance is about making sure the right things are being done, and that they’re working. That has to include the human side of cyber risk.

It's not enough to say you've rolled out training or phishing simulations. You need to know whether they're actually changing the right set of behaviors. Are high-risk groups improving? Are risky behaviors going down?

With the right data, you can track the effectiveness of your controls and interventions, align them with policy and compliance goals, and bring meaningful human risk metrics into leadership and board-level conversations.

If you're not validating the effectiveness of your human risk controls, you're not governing. You're guessing.

Identify: Pinpoint who and what introduces human-layer risk

This part of the framework is about knowing your assets, your risks, and your exposure. That includes people.

Start with the basics: Who has access to what? Where are the knowledge gaps? Which roles are more exposed?

Then go deeper. Who skips training? Who’s consistently exhibiting risky security behaviors? Who never reports suspicious activity? Behavioral data helps you spot potential areas of risk across departments, teams, and individuals.

Identify is about knowledge, sure. But it's also about behavior, confidence, engagement, attitude, access to sensitive data, and day-to-day digital hygiene. Human risk isn't one thing. It’s a mix of factors. And you can map them.

Protect: Equip people to act securely in the real world

This is where most security awareness work has traditionally lived. But it’s been limited. Training and comms. Or increasingly time-consuming simulations. Tick-box exercises. “Edutainment”, as I like to call it.

A smarter approach treats Protect as more than just content delivery. It incorporates building secure habits, based on real risk.

That means tailoring interventions based on role, behavior, and exposure. Reinforcing the right actions at the right time. Using nudges, prompts, and real-world scenarios. Tracking engagement and adjusting where needed.

It also means addressing the things that shape behavior: knowledge and understanding, digital hygiene, confidence, attitude, and access to tech and data.

Protecting systems is just the start. You’re building up and supporting people, so they can protect themselves.

Detect: Use people as sensors, not just subjects

Detection’s about tools and dashboards, right? Not quite. It's also about what people see, what they spot, and what they choose to report.

Phishing, suspicious logins, weird attachments, dodgy files, conflicting security policies, unhelpful security guidance. Your people are surrounded by threat signals and things that erode your organization’s security and resilience.

The question is: Do they recognise them? Do they act?

HRM helps you measure reporting behavior, identify who’s alert and who’s asleep, and build a culture where reporting is fast, easy, and normal.

You can also use behavioral data to detect anomalies. Unexpected downloads, strange access patterns, risky app installs. People leave trails. You just need to know what to look for. (And, y’know, actually look.)

The earlier you detect something, the less damage it does. That includes behavior.

Respond: Help people act fast when things go wrong

Incidents don’t only affect systems. Incidents affect people. And people are a key part of the response.

A strong human-layer response includes clear guidance, fast communication, and automated support for people involved in incidents.

Vitally, it also includes running scenarios so people know how to respond before the real thing happens.

You can also use HRM tools to trigger targeted interventions. Think follow-up training, just-in-time behavioral nudges, automated workflow actions, or access restrictions based on what actually happened.

The goal here? To make your human response capability just as sharp as your technical one. Because when things go wrong, clarity and confidence make all the difference.

Recover: Rebuild trust, habits, and capability

When you think of recovery, what might come to mind is the task of restoring services. But what’s sometimes missed is that it’s also about helping people reset, learn, and get better.

That includes updating training and comms based on what you learnt. Running post-incident reviews that look at behavior as well as systems. Delivering new content to affected teams. Supporting recovery in a way that builds trust, not fear.

It also means embedding what you've learned into future governance and planning. Feeding it back into your Identify, Protect, and Detect strategies. The work is never truly complete.

A full recovery includes restoring secure behavior, not just network uptime.

Final thought: You’re not the awareness & training team. You’re the glue.

If you’re managing human cyber risk, you don’t belong in just one part of the strategy. You belong in all of it. You’re needed across all of it.

You can help govern smarter. Spot risks faster. Equip people better. Detect earlier. Respond stronger. Recover sharper.

That’s what great human risk managers do. They don’t stay boxed in. They connect the dots.

And they make the human layer work.

Want to know more about exactly how the CybSafe platform helps you add value at each stage of the NIST CSF? Reach out to us here. We’d love to talk to you.