This is the second in a recurring series that explores the cybersecurity principles and best practices found within the National Institute of Standards & Technology Cybersecurity Framework. You may recall from last month’s column that NIST organizes cybersecurity risk management into five high-level functions: Identify, Protect, Detect, Respond and Recover.
Placed within the Identify function is a category labeled “business environment,” which refers to an organization’s ability to inform its cybersecurity roles, responsibilities, and risk management decisions with a solid understanding and prioritization of its corporate mission, objectives, stakeholders and business activities. In short, business-specific needs should drive every network security program.
If your security program is not tailored to what your company does and what your company has, your organization is bound to be doing too little in some areas and perhaps even too much in others. I refer to this problem as having flat security. Mature security programs by contrast, to include both physical and cyber, consider and deploy different levels of controls (and different levels of spending) based on a continuous review of their business environment.
Unfortunately, many if not most companies fail to achieve this NIST Framework outcome. Consider the findings of one widely reported performance management survey, conducted by author William Schiemann, in which only 14 percent of employees properly understood their company’s overall strategy and direction.
If these characteristics strike a chord within your organization, you would do well to ask whether your Information Technology security personnel fall within the smaller group of employees who are in the know, or instead join the nearly nine out of 10 employees who haven’t been adequately informed of – and whose compensation isn’t tied to – your overall corporate goals. Senior leadership and Boards aren’t off the hook either. Every level of an organization must get educated and stay focused on the relationship between business and security. Has anyone in your company with either a business development, audit or risk role reviewed your security strategy to ensure it is customized to meet the differing business demands (to include legal requirements) of protecting confidentiality, integrity and availability where it matters most?
The NIST Framework provides guidance on how to achieve this alignment, and it starts at the top. A company should consider establishing and then communicating not only its mission priorities and objectives in relation to the security controls that matter most, but also where it fits within the critical infrastructure or industry sectors; its dependencies, critical functions and resilience requirements for the protection and delivery of its core services; and its role in the supply chain.
We all know that perfect security throughout the whole of your enterprise can never be achieved, and there is no end to the amount of money that can be poured into the quest. Fortunately, good risk management focuses instead on smart security which, when properly implemented, is driven by your business environment.