Cybersecurity is a Function
Not a Goal
Cybersecurity is a function. It is not an end state, objective, achievement or goal. Cybersecurity is an inherent function in all modern business transactions. Therefore, organizations need to assess and manage the scope, efficiency and effectiveness of performing the function of cybersecurity. Unlike in the late 1990's and early 2000's, today there is substantial documentation on methodical and repeatable strategies to execute the function of cyber security. The most recent strategy is expressed in the form of the NIST Cybersecurity Framework.
NIST Cybersecurity Framework
"The Framework provides a common organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can serve as a model for international cooperation on strengthening cybersecurity in critical infrastructure as well as other sectors and communities." NIST Cybersecurity Framework v1.1, pg. v-vi (April 16, 2018).
The Framework defines five Core cybersecurity functions:
- Identify - Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect - Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect - Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond - Develop and implement appropriate activities to take action regarding a detected cybersecurity incident
- Recover - Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
NIST Cybersecurity Framework v1.1, pg. 7-8 (April 16, 2018).
The Framework further subdivides each Core into the following:
- Categories - The categories defines and groups cybersecurity outcomes for each Core function.
- Sub-Categories - These sub-categories define the specific technical and/or management outcomes of each cybersecurity category.
NIST Cybersecurity Framework v1.1, pg. 7 (April 16, 2018).
For example, below is a screen shot of the Core function of DETECT and a subset of associated categories and sub-categories.
NIST Cybersecurity Framework v1.1, pg. 38-39 (April 16, 2018).
The Framework also describes recommended approaches to using the Framework comprised of an effective seven-step process resulting in identifying a goal state of cybersecurity, developing a plan of action and eventually reaching a certain level of maturity. Use of the Framework is expected to be tailored to fit your needs. Generally, I have found the Framework useful for:
- Assessing the current maturity of an organization's cybersecurity function.
- Clarifying which cybersecurity activities are most relevant to an organization.
- Prioritizing cybersecurity activities for implementation.
- Communicating the maturity of an organization's cybersecurity function.
The Framework is a useful tool to determine the current maturity level of the cybersecurity function in your organization by iterating over each Core function, category and subcategory to assess to what extent the activity is being conducted today. To accomplish this effectively assess each business function (or department) within an organization separately. For example, assess the accounting department and the human resources department separately. Although these departments may have some shared information technology infrastructure, their business, application and regulatory requirements are likely different. Departments would have not been defined within an organization, otherwise. Accordingly, their cybersecurity requirements will be different. A common misconception is that cybersecurity applies to the information technology, when it actually applies to the business.
Therefore, the Framework is most effective when the scope of the assets, applications, information, technology and infrastructure being assessed share the same business and security requirements. Treating and assessing business departments separately will yield the most informative and relevant assessment to each business unit and the organization as a whole. At the end of the assessment, the organization should understand their business requirements for cybersecurity and the extent to which the activities are being conducted.
While conducting an assessment, business and information technology stakeholders are involved. A beneficial byproduct of the assessment using the Framework is that the stakeholders learn about cybersecurity best practices they were not previously aware of. In addition, the stakeholders now have the opportunity to determine which cybersecurity activities best support their business and security requirements. The final product would be clear enumeration of which cybersecurity activities require resources and implementation.
Upon clarifying the required cybersecurity activities and the level of resources required, the organization can then prioritize implementation based on business requirements. For example, regulatory deadlines may prioritize some activities over others. Budget availability may also prioritize immediately achievable activities while larger long-term funded projects are developed and approved. In addition, because business and security requirements have been clarified, dependencies among projects may also prioritize precursor activities necessary achieve another activity. Other factors to consider in prioritization is the business environment and management buy-in. Certain cybersecurity activities may disrupt the culture of the organization which may ultimately affect revenue generating activities. Management may not have concurred with your assessments and require additional information before prioritizing a cybersecurity activity. Regardless of the prioritization process and factors, the activities being prioritized are based on the best practices identified in the Framework and supported by industry-standard references.
One of the most difficult tasks for an information security manager is communicating the state of an organization's cybersecurity function. Consistency from concept to specific terminology is extremely effective. Therefore, your reporting structure should directly follow the format used in assessing, clarifying and prioritizing cybersecurity activities in the organization. Follow the same format used in the Framework and include metrics that directly relate to the Core functions, categories and subcategories. For example, here are some suggested metrics to report relating to the DETECT function and its subset of categories and sub-categories listed above:
- # of Internet Ingress/Egress Points
- % of Internet Ingress/Egress Points protected by Intrusion Detection/Prevention Devices (e.g. firewalls, IDS/IPS, etc.)
- % of Internet Ingress/Egress Points monitored by the security operations center
- # of Critical Physical Ingress/Egress Points
- % of Critical Physical Ingress/Egress Points with Network Monitoring
- % of Critical Physical Ingress/Egress Points monitored by the security operations center
- # of Identity Access Management Servers
- % of IAM Servers sending logs to the security operations center
- # of Identified Use Cases of Personnel-related Cybersecurity Events (e.g. anomalous logons, etc.)
- % of Identified Use Cases Implemented as Alerts in the security operations center
- # of Personnel-related Cybersecurity Events triggered, handled and reported as incidents
- # of Malware-related Events triggered, handled and reported as incidents
- # of Managed Devices
- # of Managed Devices identified/reached by the latest vulnerability scanning
- # of Managed Devices not scanned for vulnerabilities in the last 45 days
- # of Managed Devices with high vulnerability alerts grouped by business unit (e.g. accounting, HR, operations) and device type
In addition, I would also recommend that your presentation on the cybersecurity function are also arranged to follow the Framework Core functions of Identify, Protect, Detect, Respond and Recover. Report on the relevant activities, status, performance and projects for each Core function for the last reporting period. This consistency in the use of the Framework will go a long way toward ensuring cyber security is consistently applied and understood throughout the organization.
Remember, cybersecurity is not a goal. It is a function that needs to be refined to adjust to changing business requirements. Therefore, it is imperative to repeat (annually or quarterly) the process of using the Framework to assess, clarify, prioritize and communicate your organization's cybersecurity function and associated activities.