Blog

The NIST Cybersecurity Framework provides an easy-to-use governance process for managing cyber risk.  Organizations should consider the NIST Cybersecurity Framework if they are just forming a Cybersecurity program or have no immediate need for an independent audit/certification.  CISA puts CSF into practice with free public resources and services.  CSF and CISA is the 1-2 punch to get Cybersecurity programs initiated!

The stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business.  Many regulations and state laws also require a formal Cybersecurity program where management sets the direction for control objectives through policy and measures control implementation using baseline standards.  Management’s part is to establish their framework for deciding upon the policies and controls to get the ball rolling.  In the Security 360^o Perspective, this practice area is called Risk Governance.

In 2014, the National Institute of Standards and Technology (NIST) offered its first non-government option for Risk Governance – The Cybersecurity Framework.[i]  CSF gave an option for municipalities, local government, schools, and the private sector to define business requirements in Organizational Profiles, set baselines in performance Tiers, and work from one common Core of cybersecurity functions to build Cybersecurity capability.

With its 2.0 release this past month, CSF is a must have Cybersecurity Risk Governance![ii]  Most notably, CSF 2.0 has added the Govern Core function, strengthening the cohesion between senior management in their leadership and support of the program, and their involvement in risk management activities.  Re-usable Profiles exist for many of the sixteen Critical Infrastructure sectors that use CSF.  CSF 2.0 directly supports the US National Cybersecurity Strategy and takes advantage of recently developed guidance on supply chain security and small business security. 

The flexibility of choosing Organizational Profiles and performance Tiers gives the option to establish a solid foundation and then build capability on that solid footing.  Organizations should start with an Organizational Profile and performance Tier closest to their demonstratable compliance.  Establish a stable, verifiable Current Profile before chasing capabilities well beyond your reach!  You can start with Tier 1 – Partial to assess your capabilities but still need to get to Tier 2 – Risk Informed – to truly Risk Govern any gaps discovered.  The payback to the business is when Tier 3 – Repeatable – establishes operational effectiveness.  Organizations with high-risk will eventually want to achieve Tier 4 – Adaptive – in select profiles associated with that risk.

The Cybersecurity and Infrastructure Security Agency (CISA) provides several free resources and tools that complement CSF.   One resource is the Cyber Security Evaluation Tool (CSET) which supports several security assessments, including the NIST Cybersecurity Framework.[iii]  Use CSET to assess against the profiles and performance tiers discussed earlier.  Organizations with limited resources might consider establishing Cross-Sector Cybersecurity Performance Goals to tailor their initial CSF implementation.[iv]

Cybersecurity capability is subdivided into 6 functional areas covering 22 categories.  Govern includes the Organizational Context, Risk Management Strategy, Roles and Responsibilities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.   Identify creates the focus of your program with Asset Management, Risk Assessment, and Improvement.  The remaining functions Protect, Detect, Respond, and Recover within that area of focus.

Mappings bring other standards into CSF, either manually using NIST documentation, or automatically using CSET.  Mappings exist for COBIT 5, CIS CCS, ISO 27001, and ISA 62443.  Vendors also offer mappings to SOC2!

At the end of the day, remember that stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business.  Don’t bury them in the weeds.  Proudly demonstrate your Risk Governance strategy.  Let CSF and CISA get you started!

---

[i] NIST Releases Cybersecurity Framework Version 1.0 – https://www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framewortk-version-10

[ii] NIST Releases Version 2.0 of Landmark Cybersecurity Framework – https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

[iii] NIST Cyber Security Evaluation Tool – https://www.cisa.gov/downloading-and-installing-cset

[iv] Cross-Sector Cybersecurity Performance Goals – https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

A maturing Cyber Security Program is music to my ears.

Last week, I was assisting a client in a friendly audit of their readiness to certify to ISO 27001:2022. Ran a series of sessions covering each applicable control and allowing the client to demonstrate management’s assertion to the control objective and their evidence of its implementation. ISO certification readiness would end up being the sum of the parts.

Reminded me of learning to play the guitar in my youth. We started with playing a note, then progressed to playing a simple sheet of music at a slow rhythm. Eventually we progressed to chords (combinations of notes) and complex music. Never progressed to compose music – the artists and music teacher where my guard rails. Significant improvement was observed in the 6 months since I saw the client. Their music was getting better.

Effective consultancy approaches Cyber Security adoption the same way as learning how to play music. We start with picking the composer – the standards body that best matches the organization – in my recent client’s case – the International Organization for Standardization (IS0). Then we selected the specific sheet of music to manage Information Security – ISO 27001:2022.

The standard is not an easy read and requires Cyber Security advisory to set the table. A risk assessment scopes the controls to be implemented and a set of policies clarify management’s control objectives. The client is boxed in – so to speak. Become intimate with the policy and be ready to demonstrate how you have implemented the controls.

The composers of the standard did not cast a set of unrelated components. Maturity comes with the inter-relationships and cohesion. The set is more than the sum of the parts. The highest stage of maturity is when the organization does more than meeting the standard – the use of policy infrastructure to evolve cyber risk management capabilities.

If your organization is just starting the journey to adopt a Cyber Security program or wants to turbo-charge a legacy Information Security program to address the challenge of that cyber risk brings, we can help. 

During NCS Madison’s CIO & CISO Strategy Meeting in Boston, MA on April 23, 2019, my discussion group concluded that evolving cyber threats and regulations are triggering enhanced capabilities in enterprises and initial capability in start-ups and small businesses.

DISCUSSION SUMMARY

Digital Transformation has driven rapid change in how organizations develop, deliver, and manage their businesses. Technology has become the enabler for business value and the new target for crime. As a result, cybersecurity is now an agenda item in the boardrooms of organizations big and small. 

At NCS Madison’s 2019 CIO & CISO Strategy Event in Boston, MA, fifteen cybersecurity leaders shared their strategy for cybersecurity and explored trends. The organizations represented a mix of small and large scale enterprises, operating in healthcare, banking, pharma, retail, manufacturing, and the public sector. The discussion included:

1. Aligning the Cybersecurity Plan;
2.  Obtaining Actionable Intelligence;
3. Developing Cybersecurity Practices;
4. Cybersecurity Plan Validation and Reporting.

Despite the diversity of the participants, all agreed to these takeaways:

1. Established enterprises are increasingly adding secondary security frameworks to refine cybersecurity capabilities. Most enterprises are adding the CIS Critical Security Controls.
2. Small and emerging organizations are rapidly adopting the NIST Cybersecurity Framework (CSF) to drive cybersecurity planning. 
3. Emerging privacy regulations are clouding established frameworks for asset classification and control. Uniform cybersecurity planning to these mandates is problematic at best. 
4. New organizational approaches are evolving to insure stakeholder involvement when setting front office vs. back office priorities. Departmental alignment is no longer sufficient. 
5. The search for actionable intelligence continues. No common approach or methods surfaced in the discussion.
6. Culture remains one of the biggest obstacles in cybersecurity capability, especially in the public sector.
7. All are doing some form of ethical hacking to validate cybersecurity capabilities. 

DISCUSSION COMMENTARY

The starting point for Cybersecurity planning is to identify the control objectives most appropriate for the inherent risks of the organization. Inherent risk is associated to what products and services the organization offers, the technology being used, and how the systems and third-parties are connected.

Stakeholders are a key component to the success of the Cybersecurity plan. As businesses undergo digital transformation, key managers from the front office are now coming into play. One participant offered a three domain approach for identifying stakeholders: 1) Operational technology (IT, automation and planning), 2) Cross technology (Security systems and design), 3) Commercialized technology (outward facing products and services). All concurred that digital marketing is more important than ever. Supporting this effort is also big data and business intelligence. 

Tenable’s Trends in Security Framework Adoption Survey found that 84% of organizations align to at least one security framework, while 44% use more than one. Almost all of our group used at least one while the majority of the group used two. The survey also ranked the security frameworks being used, with PCI DSS (47%), ISO 27xxx (35%), CIS Critical Security Controls (32%), and NIST Framework for Improving Critical Infrastructure Security (29%).  The majority of our group used the NIST Framework.

Rapid changes in laws and regulations are challenging cybersecurity planning. The group discussed Risk & Insurance’s  Top 5 Privacy and Cyber Regulations and Why They Should Concern Risk Managers. Most have been focusing on GDPR and believe is a lot of work but doable. The California Consumer Privacy Act (CCPA) is problematic due to non-standard definitions of personal information. Much like GDPR, New York’s Cybersecurity Regulation (23 NYCRR Part 500) is a lot of work but manageable.

Much of Cybersecurity capability hinges on the ability to obtain actionable intelligence. No uniform approach was offered by the group. Many are collecting vulnerability data in real time, analyzing it, and prioritizing next steps. Some position this as a subcomponent to a broader data analytics strategy. Others look at the behavior of users to the system and investigate anomalies. A few is the group use deceptive technologies to lure their advisories in and foil their reconnaissance efforts.

The team discussed Ponemon Institute’s report Separating the Truths from the Myths in Cybersecurity with 84% of respondents concerned that their cybersecurity practices were not keeping pace, 30% stating that a product cybersecurity program had yet to be established, and 63% reporting that less than half of their IT assets are being tested for vulnerabilities. One attendee working in the state government and supporting the gaming technology stated her concern about culture. The biggest struggle is changing that human concept of what risk and security means. The context of the digital transformation is foreign to them. Many in the group agreed that culture needs to move higher in the top 10 list.  Someone offered phishing campaigns to spread awareness and continuous education. Another started to imbed the business into IT governance model so it becomes part of the culture.

References:

1. https://www.tenable.com/whitepapers/trends-in-security-framework-adoption
2. https://riskandinsurance.com/top-5-cyber-security-regulations/
3. https://www.ponemon.org/var/www/vhosts/www.ponemon.org/research/ponemon-library/security/separating-the-truths-from-the-myths-in-cybersecurity.html