Cybersecurity is NOT just a technology problem. The majority of cyber incidents are caused by human action or inaction with the result becoming a risk to business operations and perhaps a risk to the survival of a business. Affected parties include shareholders, stakeholders, customers, executives, and employees of the business.
The direct costs of data breaches are well documented from many sources and news articles. The indirect costs are harder to determine and dependent on the type of business that is affected. There are steps that CEOs and every Board of Directors should take to minimize the risk to their business. It begins with adoption of a Risk Management Program.
Identifying and Measuring Risk
Risks can and should be quantified. If businesses don’t understand the highest risk areas, leadership cannot make business decisions for mitigation of the highest risk and most critical functions to the business. Everything cannot and should not be protected equally. A famous quote from Adolf Galland, World War II German fighter pilot said, “he who protects everything, protects nothing.”
Risk can be determined by understanding threats, vulnerabilities, and impact. To evaluate impact, you have to identify and understand your most critical business functions and the resources necessary to perform them (i.e., business process analysis). Quantifying threats, vulnerabilities, and impact according to their effect on these most critical business processes and the resources necessary to carry them out, will result in a risk score that can be based against a number of risk-management schemas. Risk management should take into account all hazards – natural (weather, disease outbreak, etc.) and man-made (terrorism, crime, insider threat, etc.). Cybersecurity risk management must also give consideration to physical access controls to space, equipment, and hard-copy information. Additionally, personnel security is important to protect against insider threats. In today’s interconnected business environment and the high reliance on digital assets, cyber security is an ever more critical component of risk management.
Standards and Controls
ISO and NIST. There are a number of industry security standards and controls from ISO and NIST that address and can guide cybersecurity and risk management. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a solid foundation for best business practices. The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information. There are existing ways to crosswalk the controls to tailor specific approaches to address business risk profile and achieve compliance.
For organizations supporting government activities, NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Non-federal Information Systems and Organizations describes fourteen (14) families of controls that are a comprehensive cybersecurity best practice for any business. (This is required for Department of Defense (DoD) contractors to be compliant with the Defense Federal Acquisition Regulation Supplemental (DFARS) by December 31, 2017.) Civilian government contractors are expected to need to comply with these requirements during 2018 based on the Federal Register publication and anticipated to be included in the Federal Acquisition Regulations (FAR). The CUI program is an extended derivative from the larger andmroe comprehensive Federal Information Security Management Act (FISMA) Implementation Project.
The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents include NIST SPs 800-37, 800-53, and 800-53A.
Compliance with any of these identified standards includes a human element for risk management. The controls and standards require much more than technology to monitor and manage information security. Compliance requires establishment of governance, policy, implementation of procedures, evidence of practice, and a continuous assessment of security and risk.
Enterprise Security Risk Management (ESRM). As defined by ASIS International, ESRM is a management process used to effectively manage security risks, both proactively and reactively, across an enterprise. ESRM continuously assesses the full scope of security-related risks to an organization and within the enterprise’s complete portfolio of assets. The management process quantifies threats, develops business impact analyses, establishes mitigation plans, identifies risk acceptance practices, manages incidents, and guides risk owners in developing remediation efforts.
As evidenced by recent news, even with a comprehensive cybersecurity program, it is highly likely that organizations will be involved in an information/cyber security incident. Organizations must prepare for and mitigate exposure to corporate risks, to include risks to shareholders, stakeholders, customers, executives, and employees of the business.
If your organization is struggling with adoption of a cybersecurity or other security/compliance program, Let Zofia Consulting help you develop and implement the program within a broader business risk management approach. Doing so now will help leadership navigate business operations with a more mindful and prepared posture.
Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.
Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as 800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.
Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award.
Contact Zofia Consulting,
or you can contact Mark directly at email@example.com
Zofia Consulting Compliance Advisory Services
- Information Security Management System (ISMS)
- ISO 27000SERIES, NIST SP800-53, NIST SP800-171 Compliance
- Cybersecurity Framework
- Business Continuity Management System (BCMS)
- Federal Continuity Directives (FCD) 1 & 2
- Incident Reporting and Response
- CUI Strategy Development and Implementation