As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISOs today are faced with developing digital risk management strategies that encompass these new technologies, and it can be difficult to know where to start. That is where frameworks help - they are the foundation on which organizations build and iterate their digital security programs.
Security leaders have used security frameworks to guide their strategies since these frameworks were first published. ISO published its first iteration in the late ’80s, and since then, multiple frameworks have been brought into the fold. The fundamental principle of these frameworks is that businesses often use the same or similar technologies to support their business, and as a result, the industry can develop standards that all organizations should follow.
For the late 20th and early 21st centuries, this approach made sense: the market for information technology was largely underdeveloped, and the options were limited. Relying heavily on frameworks and compliance made the most sense, saving time and resources by focusing on checking boxes instead of dedicating personnel to a risk-based approach. Today, though, we face a new challenge: digital business and digital transformations have completely changed how security professionals need to approach information security.
Digital Risk Management Frameworks
The fact is that developing a new framework takes time, and given the breakneck speed of innovation and new technologies coming to market, developing a framework based solely on the technologies of today would be folly.
A Digital Risk Management Framework Needs…
More than anything, when selecting a framework to guide your cyber risk management strategy, you must seek out frameworks that deliver flexibility and scalability to support future technologies. We are only just now starting to see that legacy technologies and approaches to cybersecurity are the biggest openings for an attack.
Of the frameworks that exist today, the NIST Cybersecurity Framework delivers the most flexible approach. Since the NIST CSF is a voluntary framework and is based on guidelines and best practices, it offers more flexibility in application than other frameworks. Given that a digital security risk management framework requires flexibility to support the further development of the entire organization, the NIST CSF in part can augment an existing digital risk management strategy.
A framework applied to digital risk management must also support scalability. The rapid adoption of new technologies across an entire organization is only going to accelerate. Business units can test and trial more potential solutions than ever before, and with new platforms automating aspects of a business unit, a digital risk management framework must be able to scale as these new products hit the market. Scalability here means that the digital risk management framework can support the uncertainty of new solutions for your organization.
Given its voluntary nature and its proven track record of supporting organizations of all sizes, we recommend looking into the NIST CSF again. We have seen organizations from small businesses to Fortune 500 organizations adopt facets of the CSF to augment an existing cyber program and build a program from scratch. In both cases, the CSF served as a strong foundation that supported organization growth for the long term as well as security operating in the present.
As discussed earlier, the value that checkbox compliance brought in the early days of IT was predicated on all organizations using the same or similar solutions. While organizations still need to adhere to compliance standards today, information security is not as easy as checking boxes. With the wide variety of solutions available, the attack surface of one organization versus another varies significantly. As a result of this variance, organizations must take a risk-based approach to information security that encompasses both the industry compliance standards and the risks specific to their organization. Digital risk management only accelerates the widening gap from one organization's risk profile to another.
For a digital risk management framework to be successful, it must be versatile to support the specific digital risks facing your organization. Where one enterprise may rely more on Internet of Things technology over social media, another may have artificial intelligence deeply into everything they do. This is the greatest challenge facing developers of a dedicated digital risk management framework - already, we are seeing NIST working on an Internet of Things Security framework. While this is only one facet of digital risk management, we predict that more frameworks will emerge around specific facets of digital risk management. We can’t wait, though; organizations are digitizing faster than organizations like NIST can develop these frameworks.
Returning to the NIST CSF, as we’ve seen with organizations with an existing cybersecurity program, it can supplement and augment a preexisting program. In the same way, the NIST CSF can support the expansion of new digital risks using its practices-based approach rather than focusing on specific controls that are confined to existing technologies.
The NIST CSF Is The Digital Risk Management Framework For Today And Tomorrow
Risk officers must examine how digital and cyber risks combine with the other elements of the enterprise risk profile from a business perspective - business risks, third-party risks, and operational risks. Combining the needs of a digital risk management framework: flexibility, scalability, and versatility, the NIST CSF is best suited for augmenting your information security program to support a digital transformation initiative. The outcome-based approach of the CSF helps security leaders translate their efforts directly into the business impact of their program development. Whether you decide to adopt the entire CSF or select specific controls, the NIST CSF is the best place to start when looking for a digital risk management framework.