The 2019 Gartner Security and Risk Management Survey confirms that 73% of organizations around the world espouse the NIST Cybersecurity Framework (NIST CSF). NIST CSF focuses on five core functions--Identify, Protect, Detect, Respond and Recover. These categories cover all aspects of cybersecurity, which makes this framework a complete, risk-based approach to securing almost any organization.
According to Gartner, although adoption levels of NIST CSF are high, risk management initiatives lack business participation and financial investment. Security and risk teams suffer from exhaustion due to a control-focused CSF implementation leading to a checkbox exercise in informing senior management and the board about the organization’s cybersecurity posture. One of the ways to set realistic expectations is to take a “risk-based approach.”
Before switching to a risk-based approach, however, organizations need to decide where they fall on the maturity scale and what GRC solution they will use. There are different degrees of maturity that enable implementing a NIST CSF framework.
What maturity means
Cybersecurity maturity is a term that refers to an organization’s ability and degree of readiness to mitigate vulnerabilities and threats. The more ‘mature’ a company’s cybersecurity practices are, the better equipped they are at preventing threats before they become breaches.
Organizations setting up a cyber risk management plan for the first time need to start with a risk analysis and determine which identified risks are the highest priority. Companies fall short in creating new risk management programs by trying to adopt something that already exists but doesn’t match their goals. They essentially try to fit a square peg into a round hole.
It’s imperative to identify industry-specific goals to frame what risk prioritization should be. NIST CSF tiers can act as a guide between cybersecurity risk management and operational risk management. NIST CSF implementation should be continuous and repeatable but also flexible. Inflexible approaches may seem ideal at first, but since the landscape of risk changes so often, organizations will suffer from a process that only creates more gaps when it refuses to shift with new threats.
To start determining maturity level and how to take steps to increase your security posture, you must first decide what the goals will be. Is it no risk, ever? If so, that is unattainable unless no one at your company uses anything digital. It’s better to ask, what is an acceptable level of risk? Many “immature” organizations don't have a solid grasp of risk and simply say "I accept the risk" without understanding what it is they're agreeing to. Another goal could be with remediation. How do you identify the risk, qualitatively/quantitatively measure the risk, then create the plan to reduce the mitigate risk to an acceptable level?
Let’s look at the different levels of maturity and how they apply to security posture.
Level 1: Initial
This is the starting point of a new process with the bare minimum guidelines organizations must achieve to stay compliant. There is little support from other departments or top-level executives to perform assessments, and there are typically no risk policies in place. Security teams at this level of maturity might be spread thin and not have the bandwidth to successfully monitor all aspects of regulatory compliance and risk. Compliance programs may not be formed yet. This approach is more than a little chaotic at times.
Although managing compliance is a necessity, companies leave themselves vulnerable to threats that don’t fit in bare minimum compliance requirements by addressing risk from a compliance-only perspective. At level one, some of the things that can be addressed to help you get to a more mature stage can be found in automation. Specifically in report generation and dashboarding, which gives important insight into risk without digging through spreadsheets. Workflows can be automated to free up time for other projects, and the return on security investment (RoSI) can be calculated for financial reporting to present to the C-suite or board.
However, this approach is still at its core, compliance-centric, and it offers little in the way of data mapping or comprehensive risk insight.
Level 2: Developing
At this level, organizations have started taking steps to be less compliance-centric and more business outcome-centric. Security teams are starting to assign risk management responsibilities, a risk policy is being formed, and a risk register is created. The process is beginning to be documented so that the same steps can be repeated or reassessed.
Coming up with these procedures acts as a guidepost for taking a more disciplined approach to cybersecurity. By improving risk mitigation and control monitoring, organizations start to reduce the likelihood of attacks and disruptions of day-to-day business processes.
At this stage, executives and security leaders still benefit from return on security investment (RoSI) information and how it applies to their program and workflow automation. Companies can engage in a more detailed risk modeling to calculate cyber risk. With automation options available through platforms like CyberStrong, the bulk of the risk assessment burden can be taken off of security teams.
There’s still more that can be done here to increase maturity, though. At this level, assessments aren’t scheduled regularly, and leadership isn’t always on board with cyber practices.
Level 3: Defined
This is where organizations are starting to become serious about a risk-first approach to cybersecurity. Leadership supports formal strategic planning for risk management, and risk assessments are being scheduled proactively instead of once a year or once every two years. Critical control gaps are being addressed and managed to allow a proactive response to deal with emerging threats. Governance has been formed.
This is the area where we start to see a shift into thinking about risk in a business context. Instead of adhering to bare minimum compliance processes, maybe with some threat assessment sprinkled in, teams start to think about reputational and organizational risk and how it can be mediated.
At this level, though, there might still be an excess of time spent in spreadsheets checking boxes. There can be a waste of precious funding on security controls that don’t change the organization’s risk profile.
Level 4: Managed
Here, the data is beginning the mapping process to assist in making more informed decisions when risks and vulnerabilities crop up. This step has empowered the C-suite to make more informed decisions to bring their cyber practices up to modern standards. There is a top-down cyber-aware culture that has influenced the way employees see integrated risk management.
Organizations are starting to see the need to quantify cyber risk to more accurately assess RoSI and positively influence business decisions. Goals are being addressed with long-term objectives instead of short-term goals that are constantly shifting. Teams are becoming more agile and are evolving more quickly to address the constant change of the industry.
But even with this risk first shift, automation can significantly decrease the amount of time spent on reports with automated crosswalking of frameworks so assessments can be done in hours instead of days.
Level 5: Optimizing
When companies start optimizing their process, they are assessing risk and compliance near-continuously. The data that’s collected is consistently improving cybersecurity risk management and driving risk-first decision making. Governance is driven by high-level executives and management and implemented through security teams. The board is actively invested in cyber posture, and there is a deliberate process that focuses on optimization and improvement.
Executive-level buy-in here is critical in reducing a risk footprint. That can be achieved by creating a narrative that presents cybersecurity initiatives in business terms. Once a risk-aware, top-down culture is implemented, companies can make more insightful decisions that will allow them to manage threats proactively.
Two key things are missing at this level--continuous control automation and real-time risk management.
Level 6: Dynamic
At this top tier, we see a true continuous assessment of risk and compliance. The risk-aware culture company-wide is flourishing and risk is fully integrated in all strategic decision making. There is full transparency at the board level and they understand and collaborate on risk management policies. Risk Operations Centers have been created to further supplement security operations centers.
At this level, businesses and cybersecurity are completely aligned and work seamlessly together to manage cyber risk. Threat environments are continuously monitored through automation, and tweaks are made regularly to a flexible cyber risk strategy.
This layered approach allows for the highest level of protection for vital assets.
Gartner’s research between 2014-2018 shows that approximately 41% of clients had either not selected a framework or had developed their own ad hoc framework. Failure to choose any framework and/or build one from scratch can lead to poorly designed security programs. By mapping long-term goals, determining ideal risk posture, and receiving executive buy-in, organizations can increase their security maturity one level at a time. It’s not a process that happens overnight, but choosing the right GRC tools is vital in achieving a higher maturity level.
By proactively taking steps to mitigate and understand potential risks, companies set themselves up for success by doing their best to avoid incidents. To learn more about how automation can increase your maturity level and supplement your existing GRC platform, contact us.