Wouldn’t it be great if you had enough confidence in your information security program that if a criminal gang attacked you, you would be able to defend yourself, keep your business going and notify the appropriate legal authorities and any vendor partners that might be impacted?
With a mature information security program, you are able to keep your business running even while you are attacked or recovering from an attack—even a ransomware attack.
Yes, it would be great. Yes, it is possible. Getting to that point is, in fact, the goal of a mature security program.
The question is, how do you get to that mature state? What does it take?
Many business leaders assume they don’t have enough budget or resources to achieve that level of cybersecurity capability.
How do you start down the path of having a robust, mature information security program?
First, you make information security a priority. Your board agrees, and you make room for it in your budget and in your business plan.
Second, you choose a framework for your security program that works for your organization.
But what is a framework?
An information security framework is a series of documented processes that define policies and procedures around your implementation and ongoing management of information security controls in your company. NIST CSF, CIS Controls, COBIT or ISO 27001 are blueprints for building an information security program that allows you to manage risk and reduce vulnerabilities.
Over the next few blog posts I will take a look at these frameworks at a high level so you can figure out which one makes sense for your company. I will start with the NIST CSF.
NIST Cybersecurity Framework (CSF)
NIST (National Institute for Standards and Technology) is a government-funded agency that works for you and me to set standards that we use every day. For example, NIST lets you know you are getting one gallon of gas when you fill up your tank rather than .99 gallons of gas or .95 gallons.
NIST has the gold standard for weights and measures. They also have the standard for encryption technology, and they gave us AES encryption, which virtually everyone uses today to secure transactions online. NIST worked with industry experts in 1997 to develop AES to help the federal government secure and encrypt private and top-secret data.
Acting on presidential orders in 2013, NIST—working with private industry—studied the problem and developed a guide (the CSF framework) to help companies manage and reduce cybersecurity risk. One way to think of the framework is by the five core functions it describes: Identify, protect, detect, respond and recover. Each of the functions helps guide an organization to think clearly about what they have, how to protect it, how to detect if something bad happens, how to respond and then recover.
Here are the five core functions:
Identify—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. The activities in this function are foundational for effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome categories within this function include: Asset management, business environment, governance, risk assessment and risk management strategy.
Protect—Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome categories within this function include: Access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology.
Detect—Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. This function enables timely discovery of cybersecurity events. Examples of outcome categories within this function include: Anomalies and events, continuous monitoring and detection processes.
Respond—Develop and implement the appropriate activities to take action when a cybersecurity event is detected. This function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome categories within this function include: Response planning, communications, analysis, mitigation and improvements.
Recover—Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome categories within this function include: Recovery planning, improvements and communications.
Frequently, companies consider these five functions to review the questions asked in each area (the total number of questions is just over 100) to see how they are doing in that area. The language is understandable and consistent so that the whole team is on the same page.
Using the five core functions as focal points for your attention, you can then begin to build your security program using consistent, understandable language that you, your team and the board can understand.
In our next blog, I’ll talk about the CIS Controls as another potential framework you can use.