Cyber Tactics / Cyber Security News / Columns

Using NIST for Easier Cybersecurity Management

Corporate executives can develop enough expertise to comfortably navigate key cybersecurity risk management concepts

April 1, 2014
Trans

In last month’s column, we proposed that cybersecurity is a business necessity that requires C-Suite attention.  Security readers likely agree that thinking of cybersecurity merely as an IT issue “is similar to believing that a company’s entire workforce, from the CEO down, is just one big HR issue.” This month, we will explore how corporate executives, including the owners of small and medium businesses, can develop enough expertise to comfortably navigate key cybersecurity risk management concepts. Most important, there is no need to speak geek or to spend any money.

 

You’ve Heard of the NIST Framework. Now, Use It!

When the National Institute of Standards and Technology (NIST) does something, it tends to go all out. So, when the President of the United States asked (okay, he directed) NIST to develop a cybersecurity framework, the group left no stone unturned.  In fact, over the course of a year, NIST worked with more than 3,000 individuals and organizations on standards, best practices and guidelines before publishing their final document.  The result is freely available at www.nist.gov/cyberframework.  Not including the Appendix, it is only 17 pages long. Surely you can find the time to read 17 pages!  

 

Strengthen Your Core

NIST developed parts of the framework as a roadmap for officer and director engagement. Specifically, the framework identifies five high-level functions to “provide a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines and practices.” 

After gaining an understanding of the five functions, executives might open up the conversation by asking their team these questions:

  1. How do we identify our critical data and services, and the risks associated with them?  (Look for answers involving asset management, governance and risk assessments.)
  2. How do we protect our critical data and services from harm? (Listen for a range of technical, physical and administrative controls.)
  3. What technologies and personnel do we have in place to detect the occurrence of a cybersecurity event that bypasses our protections?  (Consider what aspects of your network activities are continuously monitored, and whether logging activities actually are reviewed.)?
  4. How will we respond to a detected cybersecurity event? (At a minimum, answers should refer to and be gleaned from an Incident Response Plan.)
  5. How would we recover from a cyber incident in a timely manner? (Determine the extent of your business continuity and resilience planning and training.)

 

Tiers for Attention

NIST also proposes that businesses consider a four-tier system to help determine whether their cyber risk management processes, their enterprise-wide integration and their external partnerships are (1) only partial, ad hoc, reactive, stove-piped and insular; (2) risk-informed, prioritized, enterprise-aware and partner-aware; (3) repeatable, formalized, updated and collaborative across the enterprise and with external partners; or, (4) adaptive, continuously aware and continuously improved through lessons learned. 

Although the tier system has the look and feel of a classic maturity model, NIST rejects that term since progression to higher tiers only is encouraged “when such a change would reduce cybersecurity risk and be cost effective.” Phrased differently, just because something can be done to lower security risk, does not mean that the NIST framework requires that it be done.  This approach is quite different, for example, than a standard that would require all technically possible cybersecurity measures be implemented.  Instead, the NIST approach implicitly acknowledges that even a good risk management process can result in a bad cybersecurity event.  The unfortunate truth being that some risks never will be eliminated. Still, although NIST steers clear of requiring specific controls for specific situations, the framework offers little or no refuge to officers, directors or business owners who fail to engage actively and continuously in a detailed evaluative process.

 

Get With The Program

Putting it all together, NIST identifies a seven-step cycle for creating a cybersecurity program. The first step is for the executive team to identify organizational mission priorities, to determine the scope of systems and assets that support the selected business line or process and to make strategic decisions regarding how best to control them. Second, organizations must identify the business dependencies of their systems and assets (and those of third parties), together with legal requirements, threat actor intelligence and identified vulnerabilities.  Third, organizations should create a current profile regarding each of the five high-level “core” functions discussed earlier. Fourth, organizations should conduct a risk assessment that incorporates “emerging risks and threat and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events.”  Fifth, the organization is to develop a target profile of desired cybersecurity outcomes, followed by the sixth stage of determining, analyzing and prioritizing the gaps between the company’s current and target profiles. The seventh step is for the organization to develop and implement an action plan to reduce the gaps.  Then, repeat.

 

Conclusion

If cybersecurity is not already the focus of your C-Suite, it soon will be. Although the benefits of the NIST framework are not limited to the cyber uninitiated, it certainly offers them an excellent place to start.  

 

About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a big-data cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, cyber security assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+