The cybersecurity framework and you

Deconstructing the tools that have emerged from Obama's executive order on securing critical infrastructure.

Cybersecurity combination lock.

The emergence of mobile/cloud computing has been breathtaking in its speed of adoption and growth. The wake these technologies are creating is capsizing business models and practices while generating new waves of innovation and creation. At the same time, the cybersecurity strategies that organizations rely on to help them safely navigate these new challenges and opportunities are also undergoing a sea of change.

Mobile and cloud technologies have eroded the digital perimeter that organizations have traditionally used as the foundation of their security practices. Many of our tried-and-true security practices -- such as firewalls, antivirus tools and intrusion-detection systems -- are increasingly insufficient against the deluge of our digital adversaries. The landscape is changing, and we need a new map.

Fortunately, the public and private sectors have begun to draft one. In early 2013, President Barack Obama issued Executive Order 13636, which calls for the development of a voluntary framework that would help manage the cybersecurity risk for our most critical infrastructure. In early 2014, following an industry-led period of discussion and collaboration, the National Institute of Standards and Technology issued Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. The goal is to create an open, business-centric framework for managing digital risk that provides guidance to organizations of any size, risk profile or cybersecurity sophistication.

The framework consists of three parts: the Core, Implementation Tiers and Profile. In overly simplistic terms, those elements provide a structure for thinking about managing cybersecurity risk (Core), benchmarking an organization's risk management practices and needs (Implementation Tiers), and creating a road map for achieving an organization's desired risk management maturity (Profile).

The Core delineates five key functions of an effective cybersecurity risk management program: identify, protect, detect, respond and recover.

  • "Identify" refers to understanding the business impact of an organization's digital resources and the risks associated with the compromise of those resources.
  • "Protect" refers to the element of cybersecurity on which we traditionally focus: the processes and technology controls designed to reduce our exposure to digital risk.
  • "Detect" has risen in importance in recent years as it has become clear that preventing cyberattacks is a quixotic task and that rapid detection contributes to greater risk reduction.
  • "Respond" is the necessary next step after detection and refers to an organization taking action to stop or remediate an attack.
  • "Recover" refers to ensuring business continuity or restoration after a security event.

Those functions are further broken down into categories and subcategories of cybersecurity outcomes at the programmatic, management and technical levels.

The Implementation Tiers describe four levels of cybersecurity risk management sophistication:

  • Tier 1 (Partial) describes organizations whose cyber risk management processes are not formalized and for whom risk is managed on an ad hoc basis. In Tier 1 organizations, cybersecurity risk is frequently viewed as "something that IT handles," and there is little to no collaboration on cybersecurity issues with external organizations.
  • Tier 2 (Risk Informed) describes organizations for whom cybersecurity risk management has become a high-level concern but one that is still concentrated in the hands of an IT department. Those organizations have begun to create initial policy and to consider their role in the larger industry response to cybersecurity risk.
  • Tier 3 (Repeatable) describes organizations with coherent risk management policies and practices that are understood and implemented across the organization. It is connected to the larger industry effort to address cybersecurity risk and benefits from the information shared by its industry partners.
  • Tier 4 (Adaptive) describes organizations whose cybersecurity risk management is continuously improving due to the application of lessons learned from personal and third-party experiences. Organizationally, Tier 4 companies have made cybersecurity risk management part of their corporate culture and actively contribute risk information to larger industry efforts.

The Implementation Tiers must not be seen as a hierarchy through which organizations should progress over time. They describe different levels of sophistication based on the business context and needs of an organization. Some businesses might quite satisfactorily remain at Tier 1 because they do not require any greater degree of risk management sophistication. Each organization must review its own business context and decide which tier is right for its business needs.

The Profile consists of a snapshot of an organization's business needs, digital resources and risk assessment against the backdrop of the Core's functions, categories and subcategories. The profile can be a snapshot of the current state of the organization or its desired state -- or one of each. Those two profiles provide a road map for improving an organization's cybersecurity stance. Organizations can develop multiple profiles to match different geographies, markets or other needs.

Many organizations might already be pursuing a cybersecurity road map as a stand-alone project or as part of larger initiatives -- such as the ISO 27000 series of standards, COBIT 5 and even NIST's SP 800 series -- and many elements of the various standards overlap. Two common questions are: What's different about the framework, and what makes it preferable to other standards and specifications?

The answer depends on your particular context. The framework's primary benefit is that its support by industry and the federal government gives it the best chance of being both guided by current industry best practices and aligned with government experience and regulatory intent. For those already working toward compliance with a different standard, the good news is that the framework is intended to complement other standards. As mentioned above, there is overlap between the standards, so compliance with one can mean compliance with the other.

The challenge for many organizations is translating the framework and other standards into an action plan that results in a stronger cybersecurity stance in the real world. The framework provides a structure and process for understanding an organization's cybersecurity risk and guidance for how to reduce that risk, but it does not specify the actions to be taken along that path. There are, of course, many paths to that ultimate goal.

As a first step, an organization could use organic resources to assess itself against the framework, or officials might bring in an outside expert to review their capabilities. After that, organizations should be able to determine their risk levels and -- based on variables such as regulations, reputation, competition and liability -- develop a road map to achieve the Implementation Tier that makes the most sense for their business.

Regardless of how you adopt the framework (or any other standard), the important thing is to begin now. The threat landscape has evolved and grown significantly more dangerous, and the only thing more dangerous is continuing to delay adoption of a more effective cybersecurity risk management strategy.

You should begin with a frank assessment of your business needs, the digital assets supporting those needs and the risk posed by a compromise of those assets. Then use the framework to determine your desired cybersecurity profile and chart the course to achieve it. You probably won't arrive at your desired destination tomorrow, but you will be moving in the right direction, and every day will bring you closer to your desired end state and, ultimately, make your organization more secure.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.