Category: Uncategorized

Few drivers utilize an outdated, paper-based map when driving long distances.  Too many real-time conditions impact driving options.  Choosing what security technologies to implement and when to implement them has similar complexity.    Utilize your Value-Added Reseller to help define your annual security technologies roadmap.  Let your IT Security Roadmap put you in the driver’s seat to the best return-on-investment.

Keeping up with the change in technology can be overwhelming, from increased business usage to the rapid advancements in the cybersecurity market.  What often took 5-10 years to adopt a couple of decades ago, is in production in just a few years.  This article establishes some simple next steps to address the issue.  A Commonsense approach to Security Improvement is needed. 

Just 2 decades ago, Gartner’s vision for Information Security program adoption captured three unique perspectives – organizational, data-centric, and technical.  One leg of the program needs a view of the current security technologies and the ones being considered soon.  A bit later, ISACA came to a similar conclusion.  Their blueprint for The Business Model for Information Security[i] included a Technology component to address Human Factors of People, Enabling and Support of Process, and the Architecture of the Technology to be used.  Without factoring all three areas, IT Security decisions end up the square peg to the round hole.

Few organizations can resource the planning of security technologies, however.  Enterprises often have architecture teams and subscription services to firms like Gartner or Forester.  Small-to-midsized organizations need other options.  One commonsense approach leverages Value Added Resellers (VARs) to establish and maintain the client’s roadmap of security technologies. 

One view of the Cybersecurity Ecosystem[ii] has eight areas supporting Cybersecurity, Privacy, and Trust: Security Operations; Data Security; Application Security; Physical Security; Infrastructure Security; Governance, Risk, and Compliance; Fraud and Transaction Security; Identity Security, and (general) Services.  One or more of these perspectives best aligned to client priorities should be included in the roadmap.

The roadmap simplifies decision-making, and highlights when tasks are needed within that calendar year.  A given technology may need to be in one of four states:

1. CONTAIN: Further investment in a previous mainstream product may be contained.
2. RETIRE: Some contained technologies may be end-of-life and need to be retired. 
3. EMERGING – Emerging technologies may be researched in support of future planning. 
4. MAINSTREAM – A green light may be given to previously defined emerging technologies.

Several factors go into the performance of a given technology.  For example, Gartner demystifies the market hype in the Gartner Hype Cycle[iii].  Products may be On the Rise, At the Peak, Sliding into the Trough, Climbing the Slope, or Entering the Plateau.  The annual update to the roadmap should highlight where the technologies are.  Return on investment will vary based on the product’s maturity and market acceptance. 

Let’s look at an example using the Governance, Risk, and Compliance part of the Cybersecurity Ecosystem and the Gartner Hype Cycle for Cyber Risk Management.[iv]  Depending on client input, the roadmap might include up to 6 product categories to be Mainstream in less than 2 years or 13 to be Mainstream in 2-5 years.  Business impact will also be highlighted for each category selected.  Adoption prior to Mainstream has value when Transformational benefits could be realized!

While the cybersecurity market dictates the Emerging and Mainstream technologies, other factors determine what is placed in Contain or Retire.  Input is solicited from the client and their cybersecurity vendors to make these determinations.  Product categories become Contained when newer approaches are being adopted and dependencies still exist.  Contained categories are moved to Retire when dependencies have been eliminated and/or the product is end of life. 

As a result of applying this Commonsense Planning of Security Technologies, your current and near-term cybersecurity technologies in your Cybersecurity Ecosystem are defined, benefits highlighted, and next step actions are easily identified.  Let Securitybeat Advisors assist with your IT Security Roadmap!

---

[i] The Value of BMIS ISACA – https://www.isaca.org/isaca-digital-videos/archive/the-value-of-bmis–isaca

[ii] Strategy of Security, The Ecosystem Explained – https://strategyofsecurity.com/cybersecurity-ecosystem/

[iii] Gartner Hype Cycle – https://www.gartner.com/en/research/methodologies/gartner-hype-cycle

[iv] Gartner Hype Cycle for Cyber Risk Management, 2023 – https://www.gartner.com/en/documents/4564900

The NIST Cybersecurity Framework provides an easy-to-use governance process for managing cyber risk.  Organizations should consider the NIST Cybersecurity Framework if they are just forming a Cybersecurity program or have no immediate need for an independent audit/certification.  CISA puts CSF into practice with free public resources and services.  CSF and CISA is the 1-2 punch to get Cybersecurity programs initiated!

The stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business.  Many regulations and state laws also require a formal Cybersecurity program where management sets the direction for control objectives through policy and measures control implementation using baseline standards.  Management’s part is to establish their framework for deciding upon the policies and controls to get the ball rolling.  In the Security 360^o Perspective, this practice area is called Risk Governance.

In 2014, the National Institute of Standards and Technology (NIST) offered its first non-government option for Risk Governance – The Cybersecurity Framework.[i]  CSF gave an option for municipalities, local government, schools, and the private sector to define business requirements in Organizational Profiles, set baselines in performance Tiers, and work from one common Core of cybersecurity functions to build Cybersecurity capability.

With its 2.0 release this past month, CSF is a must have Cybersecurity Risk Governance![ii]  Most notably, CSF 2.0 has added the Govern Core function, strengthening the cohesion between senior management in their leadership and support of the program, and their involvement in risk management activities.  Re-usable Profiles exist for many of the sixteen Critical Infrastructure sectors that use CSF.  CSF 2.0 directly supports the US National Cybersecurity Strategy and takes advantage of recently developed guidance on supply chain security and small business security. 

The flexibility of choosing Organizational Profiles and performance Tiers gives the option to establish a solid foundation and then build capability on that solid footing.  Organizations should start with an Organizational Profile and performance Tier closest to their demonstratable compliance.  Establish a stable, verifiable Current Profile before chasing capabilities well beyond your reach!  You can start with Tier 1 – Partial to assess your capabilities but still need to get to Tier 2 – Risk Informed – to truly Risk Govern any gaps discovered.  The payback to the business is when Tier 3 – Repeatable – establishes operational effectiveness.  Organizations with high-risk will eventually want to achieve Tier 4 – Adaptive – in select profiles associated with that risk.

The Cybersecurity and Infrastructure Security Agency (CISA) provides several free resources and tools that complement CSF.   One resource is the Cyber Security Evaluation Tool (CSET) which supports several security assessments, including the NIST Cybersecurity Framework.[iii]  Use CSET to assess against the profiles and performance tiers discussed earlier.  Organizations with limited resources might consider establishing Cross-Sector Cybersecurity Performance Goals to tailor their initial CSF implementation.[iv]

Cybersecurity capability is subdivided into 6 functional areas covering 22 categories.  Govern includes the Organizational Context, Risk Management Strategy, Roles and Responsibilities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.   Identify creates the focus of your program with Asset Management, Risk Assessment, and Improvement.  The remaining functions Protect, Detect, Respond, and Recover within that area of focus.

Mappings bring other standards into CSF, either manually using NIST documentation, or automatically using CSET.  Mappings exist for COBIT 5, CIS CCS, ISO 27001, and ISA 62443.  Vendors also offer mappings to SOC2!

At the end of the day, remember that stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business.  Don’t bury them in the weeds.  Proudly demonstrate your Risk Governance strategy.  Let CSF and CISA get you started!

---

[i] NIST Releases Cybersecurity Framework Version 1.0 – https://www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framewortk-version-10

[ii] NIST Releases Version 2.0 of Landmark Cybersecurity Framework – https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

[iii] NIST Cyber Security Evaluation Tool – https://www.cisa.gov/downloading-and-installing-cset

[iv] Cross-Sector Cybersecurity Performance Goals – https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

A maturing Cyber Security Program is music to my ears.

Last week, I was assisting a client in a friendly audit of their readiness to certify to ISO 27001:2022. Ran a series of sessions covering each applicable control and allowing the client to demonstrate management’s assertion to the control objective and their evidence of its implementation. ISO certification readiness would end up being the sum of the parts.

Reminded me of learning to play the guitar in my youth. We started with playing a note, then progressed to playing a simple sheet of music at a slow rhythm. Eventually we progressed to chords (combinations of notes) and complex music. Never progressed to compose music – the artists and music teacher where my guard rails. Significant improvement was observed in the 6 months since I saw the client. Their music was getting better.

Effective consultancy approaches Cyber Security adoption the same way as learning how to play music. We start with picking the composer – the standards body that best matches the organization – in my recent client’s case – the International Organization for Standardization (IS0). Then we selected the specific sheet of music to manage Information Security – ISO 27001:2022.

The standard is not an easy read and requires Cyber Security advisory to set the table. A risk assessment scopes the controls to be implemented and a set of policies clarify management’s control objectives. The client is boxed in – so to speak. Become intimate with the policy and be ready to demonstrate how you have implemented the controls.

The composers of the standard did not cast a set of unrelated components. Maturity comes with the inter-relationships and cohesion. The set is more than the sum of the parts. The highest stage of maturity is when the organization does more than meeting the standard – the use of policy infrastructure to evolve cyber risk management capabilities.

If your organization is just starting the journey to adopt a Cyber Security program or wants to turbo-charge a legacy Information Security program to address the challenge of that cyber risk brings, we can help.