Cybersecurity is a daunting issue for all companies, and increasingly is a key consideration in any supply chain relationship. However, getting a handling on creating secure relationships, systems, and interactions seem like a gargantuan task. Where do you start? What should be the focus of the program? How do you verify that the right controls are in place before a cyber breach?
These questions are being asked by organizations around the globe and have been the topic of discussion by the Cybersecurity Framework Advisory Council, a group of senior executives from multinational companies weighing-in on an initiative by the Center for Responsible Enterprise And Trade (CREATe.org) to broaden the use of the NIST Cybersecurity Framework.
Elements of an effective cybersecurity program – and importance of understanding maturity
What constitutes an effective cybersecurity program? The National Institute of Standards and Technology (NIST) launched a Cybersecurity Framework (CSF) in 2014 to offer guidance. The Framework Core features five functions; with 20 categories and 98 subcategories underlying each function and matching to references, including several ISO-related information security standards (including the most broadly deployed information security standard globally, ISO 27001), NIST-developed standards, and others.
Clearly, it’s complex. The CREATe initiative is looking to make it easier for companies to translate NIST Framework guidance to an approach that can be understood by a range of business stakeholders – from the C-Suite and the Board to managers. CREATe’s work focuses on helping companies to measure and improve the ‘people, process and technology’ elements of cybersecurity programs. For cybersecurity, CREATe has applied maturity levels – based on a scale of one to five – to each of the 98 controls of the Framework. Understanding the maturity of controls in place is critical as it enables senior management to better assess risk, prioritize resources and evolve a program as new risks arise.
Assessing cyber risks: what is the best approach?
A key component of a cybersecurity program is an assessment of the systems in place to protect from cyber threats. This is conducted either via a questionnaire and/or interviews. For many companies, however, defining an assessment’s scope is an ongoing challenge. Should the assessment focus on one part of the company? Or across an enterprise? Regardless, it is critical to establishing a meaningful baseline and being able to track improvement.
There is a wide variation in how assessment scope is defined, but a few patterns emerged from a discussion with CREATe’s Advisory Council members.
- Top-down approach: Several organizations conduct an enterprise-wide assessment scope because many of the controls are centrally established. From that perspective, executives then try to drill-down to the business unit, function or location to look at implementation. As one Advisory Council member stated, “We perform our assessments at the enterprise level, but document how controls are met at each individual system level.”
- Bottom-up approach: Several mentioned that assessments are done by business units, functions and geographic locations and rolled up to the enterprise level. As noted, “Having multiple assessments is valuable in assessing compliance and implementation against corporate policies.”
- Multi-faceted approach: One company splits their cybersecurity program into four major areas and tracks the maturity on a one to five scale in the four areas: management systems; how data travels; key processes; and validation, monitoring and response.
What about third parties? The use of the NIST Framework to do assessments of third parties is still in its infancy, however, some organizations do incorporate cybersecurity assessments into their vendor management programs. Some companies tailor the scope based on the risk profile and the nature of the vendor. Others take a tiered approach based on the criticality of the relationship and information shared.
Verifying cybersecurity programs
Once an assessment of a program takes place, what is the best way to verify the results? There are different approaches to verification. For internal assessments, many companies do not conduct a formal verification, but rather, adhere to specific processes throughout an assessment. Any deviation from the process will trigger a red flag and require follow-up remediation. Some companies will conduct peer reviews of important controls and discuss ways of improving performance. Others will bring in independent auditors to do a top-to-bottom assessment for compliance.
Developing a trail of documentation can help to improve accountability. Adequate documentation is seen as integral to verification by peer review and independent evaluations. Some organizations require documentation and justification for assessment results during peer view discussions with people across an organization. Some also said that documentation was important for linking to improvement plans during peer reviews.
Cybersecurity is not just an IT issue. It involves embedding business processes throughout an organization – from access controls to training, cross-functional leadership and monitoring, among other actions. To understand the elements necessary for robust cybersecurity, companies are increasingly turning to standards and other guidance, such as the NIST Cybersecurity Framework. Assessing programs against these leading practices, and verifying results, provides the essential information necessary to allocate resources, define areas of improvement and ultimately, best protect corporate information from cyber threats.