Addressing Cyber Security Risk with Frameworks and Controls

VIEW THE ARTICLE HERE

VIEW FEATS OF STRENGTH MAGAZINE HERE

THE YEAR OF ACTION AND EXECUTION STARTS WITH HAVING A PLAN, SO WE ASKED EXPERTS ABOUT ADDRESSING CYBER RISKS WITH FRAMEWORKS AND CONTROLS. 

USING THE NIST FRAMEWORK AND CONTROLS FOR MAXIMUM BENEFIT; A STANDARD APPROACH TO TALKING ABOUT RISK AND SECURITY

According to Gartner, 30% of all public and private organizations began to implement frameworks such as the NIST Cybersecurity Framework (CSF) in 2015. Participation will increase to 50% by 2020. This prediction is backed up by conversations K logix has with CISOs today. Kevin Hamel, CISO of COCC reports that NIST’s high profile within Boardrooms across the financial services industry is driving faster adoption of the framework.

Everyone in the organization needs to be aware and part of the successful implementation of the Framework. Therefore, security teams that have begun to use a Framework like NIST may want to evaluate how well it has been communicated and leveraged throughout the company. An effective Framework will support security efforts outside of the technology department and spearhead conversations around business process, business goals, and risk management. The framework may provide everyone in the company with a playbook and a common language to discuss risk.

Matt Barrett, Program Manager for the NIST Cybersecurity Framework says, “There are no conversations at the executive level in business where cybersecurity isn’t a dependency. It could be cash-flow, accounts receivable, customer service – everything is underpinned with cyber, and that means cyber security. That’s the number one reason everyone in the organization needs to understand cyber security.”
Eric Hussey, CISO at UNFI explains why they use the NIST framework, “The adoption of a cybersecurity framework gives you the guidance on how to implement a comprehensive information security program in any organization.”

HOW TO GET THE MOST OUT OF YOUR FRAMEWORK

1. DEFINE RISK IN COMPANY-STANDARD WAYS - NIST encourages organizations to define their own profiles and coalesce as an organization around standard language to ensure that everyone is on the same page when talking about risk – whether cybersecurity risk, financial risk, or another type. Ron Ross, the creator of the NIST Risk Management Framework says, “A standard allows technical and non-technical executives to be in the same room and have a conversation that enables action. The C-suite doesn’t open their checkbook without a valid reason. The NIST framework allows everyone to understand how cyber security risk impacts their organization. It gets everyone talking the same language.”
While the NIST CF is agnostic in terms of risk management approach, Ross and Barrett both point out that the NIST Risk Management Framework works well to address cybersecurity risk.

2. ALIGN CONTROLS WITH BUSINESS GOALS - CISOs adopting cyber security controls should look at how the controls impact and align with business goals. John Pescatore, Director of Emerging Security Trends at the SANS Institute says, “Don’t do it [a control] if it is not tied to a business requirement. Before you look at the list of controls you must understand the critical business processes – these are unique per industry and company. Once you understand the value of those processes you can prioritize how to tackle the standards.”
Pescatore points out one adopter of the CIS CSC is a major public university. While one might think tuition or fees is its number one revenue generator, it’s actually public grants. In order to be eligible for grants universities must show they are protecting student information. So, since obtaining grants is a major goal for the university, PII security becomes a major initiative as well. That is an example of how you tie security controls to business goals.

3. DON’T LISTEN TO THE NOISE – One of the most important aspects of framework adoption is commitment. That means, CISOs cannot let the Board get distracted by fear-driven news reports on threats and attacks. Pescatore says, “Security executives can find a million things to do, but the controls help CISOs educate management on priorities and why certain security issues must be addressed before others. Often, the Wall Street Journal is telling business executives what is most important in security. There might be a big threat in the news, but is it a big threat to that company? If you don’t have an existing process and rationale, how can you explain what does and does not matter? You can use standards to prioritize with the Board.”

To maximize the effectiveness of Framework and Controls in your security operations remember to always align with business goals, communicate effectively, and stay committed to the approach.