What Leaders Can Do to Protect Organizations Against Cyber Attacks

tncpe_web_cyber.jpg

by Jacqueline Calhoun, NIST Blogrige

Leadership Responsibility

Leaders today must learn how to proactively increase the chances of protecting their organizations and customers from the ever-increasing threat of cyberattacks. That’s because an organization’s leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. As Microsoft founder Bill Gates stated, “Security is, I would say, our top priority because for all of the exciting things you…do with computers, organizing our lives, staying in touch with people, being creative—if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed. People won’t use their credit cards quite as much and buy things, and so it’s really the thing we got to get right so that people don’t think about it.”

Are Leaders Ready?

According to a recent Harvard Law School Forum on Corporate Governance and Financial Regulation article, “Many companies now have in place technology designed to identify anomalies and threats. They also likely have written policies and procedures intended to provide a roadmap in the event that a cybersecurity incident occurs. All these tools and written procedures may well be ‘state of the art’ in that they may reflect and embody what is understood to be general best practices. But as with any system or written policies, they alone may be insufficient to address the risks.” 

So how do leaders know if they are doing enough to address cybersecurity risks? One way to find out is to assess the organization’s cybersecurity performance using the Baldrige Cybersecurity Excellence Builder (BCEB).

The BCEB Can Help

The BCEB is a voluntary self-assessment tool that enables an organization to better understand the effectiveness of its cybersecurity risk-management efforts. It helps the organization identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization’s operational and strategic objectives, as well as the needs and expectations of key stakeholders.

Chart showing relationship between the Framework for Improving Critical Infrastructure Cybersecurity and the Baldrige Excellence Framework for the Baldrige Cybersecurity Excellence Builder.

The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF)  the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.

Defining Leaders

The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.

The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:

1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?

1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?

Assessment Scope

Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.” 

 

Steps to using BCEB: Scope, Organizational Context, Process Questions, Results Questions, Assess Responses, Prioritize Actions; Develop Plan, Measure and Evaluate Progress.

The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF)  the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.

Defining Leaders

The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.

The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:

1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?

1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?

Assessment Scope

Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.” 

 

Steps to using BCEB: Scope, Organizational Context, Process Questions, Results Questions, Assess Responses, Prioritize Actions; Develop Plan, Measure and Evaluate Progress.

Getting Started

  1. Read the BCEB from cover to cover. It’s a short, easy-to-read booklet and includes additional information on how to perform an assessment.
  2. Respond to the questions in the Organizational Context section. This will help ensure that you are focusing on your most critical needs. If you identify important topics for which you have conflicting, little, or no information, you may want to get clarity on these before moving on.
  3. Answer the process (categories 1-6) questions to document your organization’s key cybersecurity-related processes. Answer the results (category 7) questions, which will help you understand the effectiveness and impact of your cybersecurity efforts. In completing the questions, leaders may discover blind spots in the cybersecurity management system that you have not considered or areas where you should place additional emphasis.
  4. Assess your responses by using the assessment rubric. The rubric will help you to assess your cybersecurity risk management program’s maturity level and determine if your processes and results are reactive, early, developing, mature, leading, or exemplary.
  5. Prioritize your actions and develop an action plan. Use the self-analysis worksheet to indicate the importance (high, medium, low) of each item to the successful management of cybersecurity within your organization. Prioritization will help you develop an action plan that most effectively uses resources.
  6. Measure and evaluate your progress in achieving specific improvement goals. As you continue to use the BCEB, you will learn more about your organization and begin to define the ways to build on your strengths, close gaps, and innovate.

Not Ready, Start Here

If your organization is not ready to complete the full self-assessment after completing the Organizational Context, consider doing a self-assessment using just one category or item in which you need improvement. Answer the individual questions in the selected category; then, when ready, conduct a full self-assessment to reveal key linkages between your chosen category and the other items. This will enable you to gain a systems perspective as embodied in the seven integrated categories.

Of course, leaders have numerous other options to select from to achieve the objective of improving their organization’s cybersecurity management system. But by taking a Baldrige-based approach to self-assessment, the organization—no matter its sector or size—will be on the way to improvement and cybersecurity excellence.

Cybersecurity Webcast: What's Up Next?

View the webcast for a brief overview on integrating the BCEB with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Start learning about the BCEB as you begin to plan for a self-assessment of your cybersecurity risk management system.

Courtesy of NIST Blogrige, www.nist.gov/blogs/blogrige

TNCPE is a 501(c)3 nonprofit organization.

2525 Perimeter Place Drive, Suite 122. Nashville, TN 37214-3773. (800)453-6474.