Deconstructing the tools that have emerged from Obama's executive order on securing critical infrastructure.
The emergence of mobile/cloud computing has been breathtaking in its speed of adoption and growth. The wake these technologies are creating is capsizing business models and practices while generating new waves of innovation and creation. At the same time, the cybersecurity strategies that organizations rely on to help them safely navigate these new challenges and opportunities are also undergoing a sea of change.
Mobile and cloud technologies have eroded the digital perimeter that organizations have traditionally used as the foundation of their security practices. Many of our tried-and-true security practices -- such as firewalls, antivirus tools and intrusion-detection systems -- are increasingly insufficient against the deluge of our digital adversaries. The landscape is changing, and we need a new map.
Fortunately, the public and private sectors have begun to draft one. In early 2013, President Barack Obama issued Executive Order 13636, which calls for the development of a voluntary framework that would help manage the cybersecurity risk for our most critical infrastructure. In early 2014, following an industry-led period of discussion and collaboration, the National Institute of Standards and Technology issued Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. The goal is to create an open, business-centric framework for managing digital risk that provides guidance to organizations of any size, risk profile or cybersecurity sophistication.
The framework consists of three parts: the Core, Implementation Tiers and Profile. In overly simplistic terms, those elements provide a structure for thinking about managing cybersecurity risk (Core), benchmarking an organization's risk management practices and needs (Implementation Tiers), and creating a road map for achieving an organization's desired risk management maturity (Profile).
The Core delineates five key functions of an effective cybersecurity risk management program: identify, protect, detect, respond and recover.
- "Identify" refers to understanding the business impact of an organization's digital resources and the risks associated with the compromise of those resources.
- "Protect" refers to the element of cybersecurity on which we traditionally focus: the processes and technology controls designed to reduce our exposure to digital risk.
- "Detect" has risen in importance in recent years as it has become clear that preventing cyberattacks is a quixotic task and that rapid detection contributes to greater risk reduction.
- "Respond" is the necessary next step after detection and refers to an organization taking action to stop or remediate an attack.
- "Recover" refers to ensuring business continuity or restoration after a security event.
Those functions are further broken down into categories and subcategories of cybersecurity outcomes at the programmatic, management and technical levels.
The Implementation Tiers describe four levels of cybersecurity risk management sophistication:
- Tier 1 (Partial) describes organizations whose cyber risk management processes are not formalized and for whom risk is managed on an ad hoc basis. In Tier 1 organizations, cybersecurity risk is frequently viewed as "something that IT handles," and there is little to no collaboration on cybersecurity issues with external organizations.
- Tier 2 (Risk Informed) describes organizations for whom cybersecurity risk management has become a high-level concern but one that is still concentrated in the hands of an IT department. Those organizations have begun to create initial policy and to consider their role in the larger industry response to cybersecurity risk.
- Tier 3 (Repeatable) describes organizations with coherent risk management policies and practices that are understood and implemented across the organization. It is connected to the larger industry effort to address cybersecurity risk and benefits from the information shared by its industry partners.
- Tier 4 (Adaptive) describes organizations whose cybersecurity risk management is continuously improving due to the application of lessons learned from personal and third-party experiences. Organizationally, Tier 4 companies have made cybersecurity risk management part of their corporate culture and actively contribute risk information to larger industry efforts.
The Implementation Tiers must not be seen as a hierarchy through which organizations should progress over time. They describe different levels of sophistication based on the business context and needs of an organization. Some businesses might quite satisfactorily remain at Tier 1 because they do not require any greater degree of risk management sophistication. Each organization must review its own business context and decide which tier is right for its business needs.
The Profile consists of a snapshot of an organization's business needs, digital resources and risk assessment against the backdrop of the Core's functions, categories and subcategories. The profile can be a snapshot of the current state of the organization or its desired state -- or one of each. Those two profiles provide a road map for improving an organization's cybersecurity stance. Organizations can develop multiple profiles to match different geographies, markets or other needs.
Many organizations might already be pursuing a cybersecurity road map as a stand-alone project or as part of larger initiatives -- such as the ISO 27000 series of standards, COBIT 5 and even NIST's SP 800 series -- and many elements of the various standards overlap. Two common questions are: What's different about the framework, and what makes it preferable to other standards and specifications?
The answer depends on your particular context. The framework's primary benefit is that its support by industry and the federal government gives it the best chance of being both guided by current industry best practices and aligned with government experience and regulatory intent. For those already working toward compliance with a different standard, the good news is that the framework is intended to complement other standards. As mentioned above, there is overlap between the standards, so compliance with one can mean compliance with the other.
The challenge for many organizations is translating the framework and other standards into an action plan that results in a stronger cybersecurity stance in the real world. The framework provides a structure and process for understanding an organization's cybersecurity risk and guidance for how to reduce that risk, but it does not specify the actions to be taken along that path. There are, of course, many paths to that ultimate goal.
As a first step, an organization could use organic resources to assess itself against the framework, or officials might bring in an outside expert to review their capabilities. After that, organizations should be able to determine their risk levels and -- based on variables such as regulations, reputation, competition and liability -- develop a road map to achieve the Implementation Tier that makes the most sense for their business.
Regardless of how you adopt the framework (or any other standard), the important thing is to begin now. The threat landscape has evolved and grown significantly more dangerous, and the only thing more dangerous is continuing to delay adoption of a more effective cybersecurity risk management strategy.
You should begin with a frank assessment of your business needs, the digital assets supporting those needs and the risk posed by a compromise of those assets. Then use the framework to determine your desired cybersecurity profile and chart the course to achieve it. You probably won't arrive at your desired destination tomorrow, but you will be moving in the right direction, and every day will bring you closer to your desired end state and, ultimately, make your organization more secure.