The cybersecurity industry has fed and, to a large extent, continues to feed off fearmongering. As a result, organizations are spending millions of dollars on shiny security products that are not needed to block most hacks! The current strategy of most organizations layering on different technologies is not only proving ineffective, but it is also overly complex and expensive. An ideal option for the security of businesses would be to adapt a risk-based approach that carries out a holistic assessment and analysis of business threats, in its current and future operating environment, and then mitigate those threats.
The information security and risk management strategy will provide the business with direction for protection of information infrastructure that ensures the capabilities provided are in alignment with the business goals and the organization’s risk profile. Structured methodologies can be great for businesses. These methodologies can help you get authentic insight by assessing IT security implications and understanding business objectives.
I do not see any reason to re-invent the wheel and we should just leverage a well-established security framework to build out the security roadmap. Ultimately, the implementation of a cost-effective cybersecurity framework included careful considerations on how we identified, protected, and recovered critical assets, as well as how we detected and responded to security breaches. While we cannot avoid all cyber risk – we need to identify, mitigate, and reduce it to an acceptable level. Fortunately, there were several good frameworks such as the ones from the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and COBIT 5. I decided to adapt the NIST Cybersecurity Framework or CSF, which has a high adaption rate.
The Framework for Improving Critical Infrastructure Cybersecurity (CSF or NIST Cybersecurity Framework) is a tool originally developed for the private sector that agencies must implement to manage cybersecurity risk. The CSF can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program.
Businesses can use CSF for identifying cybersecurity risks, assessing cybersecurity risks, and then continuously managing cybersecurity risk. It can help an organization determine which activities are most important to critical service delivery, prioritize expenditures, and maximize the impact of investment. The CSF is designed in such a way that it can support existing business practices and cybersecurity operations. It allows you to express your cybersecurity requirements to your customers and business partners. It can also help in identifying gaps in your business’s cybersecurity practices. The CSF also lays out the processes for considering civil liberties and privacy implication in the cybersecurity program.
The Framework is made up of three components as follows: the Framework Core, Profiles, and Tiers. Organizations can use these three components together to conduct a comprehensive review of their cybersecurity program. The main component of the Framework is the Framework Core (the Core). The Core presents a variety of cybersecurity related activities that can be found in a cybersecurity program, such as the performance of vulnerability scans and the detection of malicious code. The activities are classified into five main groups or functions— these functions are:
Each function is divided into categories and subcategories of cybersecurity outcomes and activities.
If a security roadmap is implemented effectively, it can be very helpful in mitigating risk. It can also help in defining actions when a compromise is detected. A clear road map will ensure that you mitigate risks while keeping a strong focus on your business goals.
With the assessment completed, gaps should be analyzed against a defined control framework. Certain steps were defined to measure and fill these gaps. I would like to emphasize here that it is important to map the cybersecurity framework against the existing and future posture of the organization. Based on our organization’s risk acceptance, goals, and objectives, a visual representation of the suggested initiatives was developed and detailed within a 1 to 3 years roadmap. This roadmap included all sorts of relevant information including investment summary for investment in processes, technology, and people that can align our skills and capabilities with the control framework of the business. Activities were sequenced so that they can provide a more effective implementation plan, where the projects were prioritized based on risk.
To help prioritize the initiatives on our security roadmap to ensure business objectives are realized, or security gaps addressed, draw upon your mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in our objectives. Next, determine the resources necessary to address the gaps. For each identified activity or control that needed to be in place, identify whether the organization met or did not meet the best practice in developing your cybersecurity and risk mitigation plan. For any risk that you decide to not “mitigate” and “accept,” document the risk posed by not implementing the best practice, putting compensating control in-place, and obtaining the sign-off from the risk owner.
The goal is to build a strong security program that is well designed, implemented, and managed. The security program is made from many layers and it will operate best if a top-down approach is followed. Therefore, start by defining the ‘Vision’ – a descriptive picture of the desired future state – “Where do we want to be?” Next, identify the ‘Objectives’ – the High-level achievements of the security program. Write down the ‘Goals’ – anything that will be measured to help fulfill an objective. Next, documented the ‘Strategy’ for each of the goals – the actions that needs to be implement on a day-to-day basis to achieve your objectives. (There could be one or many ‘Projects’ associated with each ‘Strategy’ – These are concrete actions an organization takes to execute its strategic plan.) The last step in building the security program is to identify the ‘Capabilities’ that need to be in place to create business value, i.e., log monitoring, remote access, access management, incident management, etc.
Building the security roadmap is not a one-and-done project; it should be part of a continuous program strategy and operations cycle. You can never entirely mitigate cyber risk. It is not something that can be achieved as an end result; instead, it is a continuous process. You need to take certain steps in order to mitigate cyber risks. As you take each step, the business becomes more and more secure and stronger against cyber risks.
The cyber risks keeps evolving and your business may face new risks with passing time. To cope with the changing risks, you need to implement processes that ensure continuous mitigation of cyber risk. Beyond the technical processes and procedures, as security professionals, we should also be familiar with the latest legislation and regulations that organizations have to abide by and adjust to our roadmap as necessary.
Tracking and Communicating Goals
It does not matter how well the information security leader understands the business goals and build out the security roadmap, it is all for nothing if that information is not communicated to the security team. In order for the security projects and programs to be effective, the concerned people should know the end goals they are trying to achieve. On the other hand, top-level employees should also know about the opportunities and risks associated with the actions and inactions of the security team. The communication strategy must include both the security team and senior leadership, and in some cases all employees. The flow of communication needs to be in both directions: top-down and bottom-up communication must be in concert with one another. Information security is very important in the 21st century. The key performance indicators should link with employee performance and key imperatives of the business. This will show that information technology is taken seriously in your business. Making information technology KPIs part of your business strategy will also be great for the Information Security Management System (ISMS). There can be different types of Information Security (IS) KPIs ranging from policy metrics, business related metrics, and technical metrics. These key performance indicators are very important for reaching your business goals and objectives.
- NIST SP 800-39: The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.
- The National Institute of Standards and Technology (NIST) was founded in 1901. NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. NISTs activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement.
- The International Organization for Standardization (ISO) is an independent, non-governmental organization, the members of which are the standards organizations of the 165 member countries. It is the world’s largest developer of voluntary international standards and it facilitates world trade by providing common standards among nations. More than twenty thousand standards have been set, covering everything from manufactured products and technology to food safety, agriculture, and healthcare.
- COBIT 5: COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework specifies a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures, and an elementary maturity model.
- NIST Cybersecurity Framework (CSF): Set forth by the National Institute of Standards and Technology under the United States Commerce Department, the Cybersecurity Framework is a set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber-attacks. It also includes guidelines on how to prevent and recover from an attack. Version 1.0 of this framework was published by the NIST in 2014. A recent security framework adoption study reported that a majority of the surveyed organizations see NISTs framework as a popular best practice for computer security, but many note that it requires significant investment.
If you found this blog useful, please share with others: