A recent report from the cybersecurity firm Barkly, on results from a survey they conducted of IT professionals and IT executives, found that while the IT professionals who have direct responsible for cybersecurity feel their organizations are vulnerable, the executives from those organizations are significantly more confident that things in general are fine. For their Cybersecurity Confidence Report[1], Barkly surveyed of 350 IT professionals and found that 50 percent are not confident in their current security products or solutions.

IT pros feel they cannot measure the effectiveness of their existing cybersecurity solutions. 50% said they were not confident in their current security products or solutions. One third said they didn’t know if their organization had been breached, and the rest reported an average of 2.7 breaches.

While the IT pros feel improving security is essential, they are so busy that it becomes just another item on their to-do list. While the executives spend twice as much time on security issues as the staff.

The survey also found that the IT pros feel more end user training and awareness would be helpful while the execs think they should invest in technology solutions. Why the disconnect?

I suspect that these organizations have not gone through a process of defining their cybersecurity system. The execs think cobbling together random bits of technology will solve the problem. The IT pros who are already overloaded with things to do have yet another ‘point product’ to integrate into their IT environment and find time to configure and manage. Now, there are lots of vendors who will come in and tout their point solution as the solution for the point product management problem. Probably Barkly is one of them. But how do you know what you need? How do you know what you key issues are?

The execs and the IT pros do not have any agreement of what their priorities need to be. The IT pros are trying to keep things running and the execs are working the ‘big picture’. They need a shared description of the problem and agreed upon set of priorities and a roadmap to get from where they are with cybersecurity to their target state. They should learn to use the Federal Cybersecurity Framework. [2]

The Federal Cybersecurity Framework is two years old this year, having been developed by the US NIST during 2013 in response to Presidential Executive Order 13636[3] to develop “a framework to reduce cyber risks to critical infrastructure”. In February 2014 NIST released the first version of the “Framework for Improving Critical Infrastructure Cybersecurity”[4,5]. The Framework is based on the use of risk management principles for cybersecurity, and is commonly referred to as the Cybersecurity Framework or CSF. The CSF consists of standards, guidelines, and practices to promote cybersecurity protection of critical infrastructure.

Developed in close cooperation with the private sector (agencies, industry, academia and associations), the CSF defines is a risk-based methodology for managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The CSF is based on a connection between business drivers and cybersecurity activities. Ideally, the CSF would be incorporated as part of an ongoing cybersecurity and risk management process improvement program.

NIST describes the following steps in using the CSF to implement a cybersecurity system:

1. Identify business/mission objectives (scope) and high-level organizational priorities.
2. Identify related systems and assets, regulatory requirements, and overall risk approach; identify threats to, and vulnerabilities of systems and assets.
3. Develop a Current Profile indicating which Category and Subcategory outcomes are currently being achieved.
4. Conduct a Risk Assessment. Per organization’s overall risk management process.
5. Create a Target Profile of the Categories and Subcategories describing the organization’s desired cybersecurity outcomes.
6. Determine, Analyze, and Prioritize Gaps. Compare the Current Profile and the Target Profile to determine gaps and create a prioritized action plan.
7. Implement Action Plan. Take actions in regards to the gaps, if any, and monitor current cybersecurity practices against the Target Profile.

By using the CSF, an organization would have identified it business drivers for cybersecurity, its priorities, what cybersecurity outcomes and controls are required, what it is currently doing and what it wants or needs to be doing and would be able to develop a roadmap and plan to get there. The execs and the IT pros would then both know what they should be doing And could work together to provide an enhanced cybersecurity system solution tailored to the business, and stop cobbling together ‘point products’.

References:

1. Barkly Cybersecurity Confidence Report

http://cdn2.hubspot.net/hubfs/468115/Barkly_Cybersecurity_Confidence_Report.pdf

2. #25 – CYBER RISK FRAMEWORKS – ED PERKINS

https://insights.cermacademy.com/2013/09/25-cyber-risk-framework-update-ed-perkins/#more-2621

3. Presidential Executive Order 13636

http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity and https://www.federalregister.gov/executive-order/13636

4. NIST Cybersecurity Framework portal

http://www.nist.gov/itl/cyberframework.cfm

5. Framework for Improving Critical Infrastructure Cybersecurity (document)

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf