This article was co-authored by Paul Johnson, senior manager of Wipfli LLP’s risk advisory services practice.
The term “cybersecurity” is often broadly used to mean many things. Is it protecting your data against hackers? Is it ensuring smart password protection? Is it taking steps to reduce the risks to software, computers and networks?
The answer is “yes” to all of the above. However, if your organization’s definition of cybersecurity stops at any of these statements, then consider these sobering facts on how breaches commonly occur:
– 76% exploit weak or stolen credentials
– 52% use some form of hacking
– 40% incorporate malware
– 35% involve physical attacks
– 29% employ social tactics
– 13% involve privilege misuse1
Clearly, focusing solely on tools and technical solutions that support cybersecurity, while failing to overlook the many human factors and policies that are a part of the equation, cannot suffice, either as a definition or as a successful strategy. Threats and incidents can occur at any corner or level of your organization, making the best definition of cybersecurity one that includes the comprehensive and multidisciplinary approach necessary for effectively securing data on every front.
And the most constructive place to start is with the “framework.”
For Starters, Follow the Framework
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, released the “Framework for Improving Critical Infrastructure Cybersecurity” in 2014. Voluntary and risk-based, it provides a set of standards and best practices to help organizations — regardless of their size or degree of cybersecurity sophistication — create, guide, assess or improve their cybersecurity programs as well as the resilience of their critical infrastructures.
Much of the guidance comes in the section called “The Framework Core,” a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. The Core presents five key functions: identify, protect, detect, respond and recover. Taken together, these core functions allow any organization to better understand the life cycle of its cybersecurity risk management and more effectively shape its cybersecurity program. And it provides the foundation for establishing a sound definition of what cybersecurity should include for your organization.
It’s important to note that the framework does not replace an organization’s risk-management efforts or program; it merely complements those existing practices. Some companies may leverage the framework to identify opportunities for strengthening their cybersecurity programs; others may use the framework as a reference for establishing new programs.
The five core functions, as outlined, help organize basic cybersecurity activities at their highest level. Performed concurrently and continuously, they help create an operational culture to more effectively address dynamic risks. Here’s how NIST defines each function:
1. Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. These activities are foundational for the effective use of the framework. Understanding the business context, the resources that support critical functions and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk-management strategy and business needs.
2. Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This function supports the ability to limit or contain the impact of a potential cybersecurity event.
3. Detect. Develop and implement the appropriate activities to not only identify the occurrence of a cybersecurity event, but also enable the timely discovery of such events.
4. Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The function further supports the ability to contain the impact of a potential event.
5. Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cybersecurity event. This includes the timely recovery to normal operations to reduce the impact from an event.
Define and Refine
As you work to define cybersecurity for your organization, consider incorporating this framework. It can be a key part of your systematic process for identifying, assessing and managing cybersecurity risk and will serve as a more comprehensive foundation for defining a program with real meaning and results.
Need help enhancing or creating your own cybersecurity program?