Define Cybersecurity Before You Can Refine Your Efforts

This article was co-authored by Paul Johnson, senior manager of Wipfli LLP’s risk advisory services practice.

The term “cybersecurity” is often broadly used to mean many things. Is it protecting your data against hackers? Is it ensuring smart password protection? Is it taking steps to reduce the risks to software, computers and networks?

The answer is “yes” to all of the above. However, if your organization’s definition of cybersecurity stops at any of these statements, then consider these sobering facts on how breaches commonly occur:

– 76% exploit weak or stolen credentials
– 52% use some form of hacking
– 40% incorporate malware
– 35% involve physical attacks
– 29% employ social tactics
– 13% involve privilege misuse1

Clearly, focusing solely on tools and technical solutions that support cybersecurity, while failing to overlook the many human factors and policies that are a part of the equation, cannot suffice, either as a definition or as a successful strategy. Threats and incidents can occur at any corner or level of your organization, making the best definition of cybersecurity one that includes the comprehensive and multidisciplinary approach necessary for effectively securing data on every front.

And the most constructive place to start is with the “framework.”

Refine Your Cybersecurity Program

For Starters, Follow the Framework

The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, released the “Framework for Improving Critical Infrastructure Cybersecurity” in 2014. Voluntary and risk-based, it provides a set of standards and best practices to help organizations — regardless of their size or degree of cybersecurity sophistication — create, guide, assess or improve their cybersecurity programs as well as the resilience of their critical infrastructures.

Much of the guidance comes in the section called “The Framework Core,” a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. The Core presents five key functions: identify, protect, detect, respond and recover. Taken together, these core functions allow any organization to better understand the life cycle of its cybersecurity risk management and more effectively shape its cybersecurity program. And it provides the foundation for establishing a sound definition of what cybersecurity should include for your organization.

It’s important to note that the framework does not replace an organization’s risk-management efforts or program; it merely complements those existing practices. Some companies may leverage the framework to identify opportunities for strengthening their cybersecurity programs; others may use the framework as a reference for establishing new programs.

Core Clarity

The five core functions, as outlined, help organize basic cybersecurity activities at their highest level. Performed concurrently and continuously, they help create an operational culture to more effectively address dynamic risks. Here’s how NIST defines each function:

1. Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. These activities are foundational for the effective use of the framework. Understanding the business context, the resources that support critical functions and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk-management strategy and business needs.

2. Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This function supports the ability to limit or contain the impact of a potential cybersecurity event.

3. Detect. Develop and implement the appropriate activities to not only identify the occurrence of a cybersecurity event, but also enable the timely discovery of such events.

4. Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The function further supports the ability to contain the impact of a potential event.

5. Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cybersecurity event. This includes the timely recovery to normal operations to reduce the impact from an event.

Define and Refine

As you work to define cybersecurity for your organization, consider incorporating this framework. It can be a key part of your systematic process for identifying, assessing and managing cybersecurity risk and will serve as a more comprehensive foundation for defining a program with real meaning and results.

Need help enhancing or creating your own cybersecurity program?


Hewins Financial Advisors, LLC d/b/a Wipfli Hewins Investment Advisors, LLC (“Hewins”) is an investment advisor registered with the Securities and Exchange Commission under the Investment Advisers Act of 1940. Hewins is a proud affiliate of Wipfli LLP. Information pertaining to Hewins’ advisory operations, services and fees is set forth in Hewins’ current Form ADV Part 2A brochure, copies of which are available upon request or at The views expressed by the author are the author’s alone and do not necessarily represent the views of Hewins or its affiliates. The information contained in any third-party resource cited herein is not owned or controlled by Hewins, and Hewins does not guarantee the accuracy or reliability of any information that may be found in such resources. Links to any third-party resource are provided as a courtesy for reference only and are not intended to be, and do not act as, an endorsement by Hewins of the third party or any of its content or use of its content. The standard information provided in this blog is for general purposes only and should not be construed as, or used as a substitute for, financial, investment or other professional advice. If you have questions regarding your financial situation, you should consult your financial planner, investment advisor, attorney or other professional.
Jeff Olejnik


Jeff Olejnik is director of Wipfli LLP's risk advisory services practice, based in Minneapolis, MN. With more than 20 years of experience in technology and risk management, Jeff is a knowledgeable IT security services professional and helps clients manage risk through effective information security, business continuity planning and program management.

No Comments Yet

Comments are closed

Define Cybersecurity Before You Can Refine Your Efforts

time to read: 3 min