Wouldn’t it be great if you had your information security program at the point where you had confidence that if a criminal gang attacked you, you would be able to defend yourself, keep your business going, notify the appropriate legal authorities, and any vendor partners that might be impacted?
Yes, it would be, and yes, it is possible. Getting to that point is the goal of a mature security program. With a mature security program you are able to keep your business running even while you are attacked or recovering from an attack.
The question is, how do you get to the mature state? What does it take?
Many business leaders assume they don’t have enough budget or resources to achieve that level of cybersecurity capability. How do you start down the path of a having a robust, mature information security program?
First, you make information security a priority. Your Board agrees, and you make room for it in your budget and in your business plan.
Second, you choose a framework for your security program that works for your organization.
But what is a framework?
An information security framework is a series of documented processes that define policies and procedures around your implementation and ongoing management of information security controls in your company. NIST CSF, CIS Controls, COBIT, or ISO 27001 are blueprints for building an information security program that allows you to manage risk and reduce vulnerabilities.
Over the next few blog posts I will take a look at these frameworks at a high level so you can figure out which one makes sense for your company. I will start with the NIST CSF.
Read more from John: How do you ensure the security of your supply chain?
NIST Cybersecurity Framework (CSF).
NIST (National Institute for Standards and Technology) is a government-funded agency that works for you and me to set standards that we use every day. NIST lets you know you are getting 1 gallon of gas when you fill up your tank rather than .99 gallons of gas or .95 gallons.
NIST has THE gold standard for weights and measures. They also have the standard for encryption technology, and they gave us AES encryption, [1] which virtually everyone uses today to secure transactions online.
Acting on presidential orders in 2013, NIST—working with private industry—studied the problem and developed a guide (the CSF framework) to help companies manage and reduce cybersecurity risk. One way to think of the framework is by the five core functions it describes: Identify, Protect, Detect, Respond, and Recover. Each of the functions helps guide an organization to think clearly about what they have, how to protect it, how to detect if something bad happens, how to respond, and then recover.
Frequently companies consider these five functions to review the questions asked in each area (the total number of questions is just over 100) to see how they are doing in that area. The language is understandable and consistent so that the whole team is on the same page.
Using the five core functions as focal points for your attention, you can then begin to build your security program using consistent, understandable language that you, your team, and the board can understand.
In our next blog I’ll talk about the CIS Controls as another framework you can use.
[1] NIST worked with industry experts in 1997 to develop AES to help the Federal government secure and encrypt private and top secret data. Cryptographic Standards and Guidelines | CSRC (nist.gov)
Read more: 5 Questions you’ll need to answer for an improved security posture in 2021
Learn more: Securing your business against ransomware attacks