As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s today are faced with developing digital risk management strategies that encompass these new technologies and it can be difficult to know where to start. That is where frameworks help - they are the foundation on which organizations build and iterate their digital security programs.
Security leaders have used security frameworks to guide their strategies since these frameworks were first published. ISO published their first iteration in the late 80’s and since then, multiple frameworks have been brought into the fold. The fundamental principle of these frameworks is that businesses often use the same or similar technologies to support their business and as a result, the industry can develop standards that all organizations should follow.
For the late 20th and early 21st centuries, this approach made sense: the market for information technology was largely underdeveloped and the options limited. Relying heavily on frameworks and compliance made the most sense, saving time and resources by focusing on checking boxes instead of dedicating personnel to a risk-based approach. Today, though, we are faced with a new challenge: digital business and digital transformations have completely changed the way security professionals need to approach information security.
Digital Risk Management Frameworks
The fact is that developing a new framework takes time, and given the breakneck speed of innovation and new technologies coming to market, to develop a framework based solely on the technologies of today would be folly.
A Digital Risk Management Framework Needs…
More than anything, when selecting a framework to guide your cyber risk management strategy you must seek out frameworks that deliver flexibility and scalability to support future technologies. What we are only just now starting to see is the legacy technologies and approaches to cybersecurity are the biggest opening for an attack.
Of the frameworks that exist today, the NIST Cybersecurity Framework delivers the most flexible approach. Since the NIST CSF is a voluntary framework and is based on guidelines and best practices, it offers more flexibility of application than other frameworks. Given that a digital security risk management framework requires flexibility to support the further development of the entire organization, the NIST CSF in parts can augment an existing digital risk management strategy.
A framework applied to digital risk management must also support scalability. The rapid adoption of new technologies across an entire organization is only going to accelerate. Business units are able to test and trial more potential solutions than ever before and with new platforms automating aspects of a business unit, a digital risk management framework must be able to scale as these new products hit the market. Scalability here meaning that the digital risk management framework can support the uncertainty of what new solutions will be brought into your organization.
Given its voluntary nature, as well as its proven track record of supporting organizations of all sizes, we recommend looking into the NIST CSF once again. We have seen organizations from small businesses through to Fortune 500 organizations adopt facets of the NIST CSF to both augment and existing cyber program as well as build a program from scratch. In both cases, the NIST CSF served as a strong foundation that supported organization growth for the long term as well as security operating in the present.
As discussed earlier, the value that checkbox compliance brought in the early days of IT was predicated on all organizations using the same or similar solutions. Today, though, while organizations still need to adhere to compliance standards, information security is not as easy as checking boxes. With the wide variety of solutions available, the attack surface of one organization versus another varies significantly. As a result of this variance, organizations must take a risk-based approach to information security that encompasses both the industry compliance standards and the risks specific to their organization. Digital risk management only accelerates the widening gap from one organization's risk profile to another.
For a digital risk management framework to be successful, it must be versatile to support the specific digital risks facing your organization. Where one enterprise may rely more on internet of things technology over social media, another may have artificial intelligence deeply into everything they do. This is the greatest challenge facing developers of a dedicated digital risk management framework - already we are seeing NIST working on an Internet of Things Security framework. While this is only one facet of digital risk management, we predict that more frameworks will emerge around specific facets of digital risk management. We can’t wait, though, organizations are digitizing faster than organizations like NIST can develop these frameworks.
Returning again to the NIST CSF, as we’ve seen with organizations that have an existing cybersecurity program in place, it can supplement and augment a preexisting program. In the same way, the NIST CSF can support the expansion of new digital risks using its practices-based approach rather than focusing on specific controls which are confined to existing technologies.
The NIST CSF Is The Digital Risk Management Framework For Today And Tomorrow
Risk officers must examine how digital and cyber risks combine with the other elements of the enterprise risk profile from a business perspective - business risk, third-party risks, operational risks. Combining the needs of a digital risk management framework: flexibility, scalability, and versatility, the NIST CSF is best suited for augmenting your information security program to support a digital transformation initiative. The outcome-based approach of the CSF helps security leaders translate their efforts directly into the business impact of their program development. Whether you decide to adopt the entire CSF or select specific controls, the NIST CSF is the best place to start when looking for a digital risk management framework.