The State of Cybersecurity
With reports of online data cybersecurity breaches now a common occurrence, it is not a matter 'if' an organisation will experience a security incident but 'when'. Of even greater concern is the average cost of a data breach at USD$8.64M (US) according to the IBM/Ponemon Institute's Cost of Data Breach Report 2020. Any business with an online presence needs to ensure robust governance and risk management processes are in place to manage network security and associated vulnerabilities. The increasing sophistication of attacks also means the necessity of thinking beyond password authentication schemes, antivirus software and firewalls.
The degree of complexity in integrating sound security practices into existing governance frameworks has however been challenging for many. Particularly so, given that IT assets, processes and infrastructure have become increasingly interconnected - not to mention expansive, given the growth of cloud computing.
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology Cybersecurity Security Framework (NIST CSF) seeks to address the above issues by taking a risk based approach – incorporating business drivers, flexibility, customisability and measures with applicability to both public and private sectors. Key to its wide adoption has been the framework's ability to equally address governance concerns at the very top executive levels, all the way down to individual employees tasked with implementing or adhering to security policies and procedures.
How do you implement it?
There are three major components to the NIST Cybersecurity Framework.
- Framework Core or Key Functions, comprising activities, outcomes and references, common to all organisations. These include
- IDENTIFY - encompassing activities designed help organisations better identify, understand & manage cybersecurity risks to systems, assets, people, data and capabilities
- PROTECT - encompassing activities & strategies to safeguard critical services
- DETECT - encompassing activities to identify suspicious activities
- RESPOND - encompassing activities to undertake when an identified cybersecurity event occurs
- RECOVER - encompassing activities to maintain, restore and build resilience after a cybersecurity event
- Framework Tiers, to help delineate how mature an organisation is in its cybersecurity practices – based on its risk processes, integration and engagement with third parties
- Framework Profiles, to help an organisation baseline and snapshot the current and target state of its cybersecurity program
By implementing the above components into a wider enterprise risk management approach, an organisation will be able to more rationally and effectively manage its cybersecurity investments.
Other Best Practices & Considerations
Beyond the NIST Cybersecurity Framework, organisations should also consider the following
- Periodic Baselining, Benchmarking & Auditing – With the rapid pace of change driven by digital innovation, IT ecosystems are constantly evolving. These changes increase the challenge for governance, as new platforms, systems and services are continually updated, introduced and replaced. Assets defined 12 months ago, may no longer exist in another month. Being able to baseline, benchmark and continually assess this is vital to ensuring a realistic appraisal of cybersecurity threats and vulnerabilities.
- Governance Framework Integration – A cybersecurity framework is only as effective as its level of adoption within an organisation. Embedding the NIST Cybersecurity Framework into a broader IT Governance framework (such as COBIT) allows stakeholders to apply existing processes and tools already developed. This can help overcome uptake inertia while taking advantage of alignment goals and holistic approaches espoused by such enterprise frameworks.
- Automation of Incident Response Processes - With data breach notification now mandatory in many countries, companies should consider how cybersecurity incident management can be automated. Regulatory requirements on reporting deadlines may mean organisations only have a limited amount of time from when an incident is recognised, to when it must be reported to authorities and potentially those affected.
- Cybersecurity Insurance - given the wide scope of potential vulnerabilities & threats that must be addressed by cybersecurity, many businesses may decide some risks cannot be avoided or mitigated. Cybersecurity insurance is a way to transfer those risks and may be a viable option for small to medium businesses with less resources and options available.