By David Malicoat, CEO and Founder, BAMCIS Cybersecurity
I recently wrote a white paper on cyber resiliency, titled Solving Cybersecurity’s Achilles’ Heel, A Cyber Resilience Framework for Technology. You can find it here: https://bamciscyber.com/cybersecurity-white-paper. In the paper, I cover a new mental model for weaving resiliency into the cybersecurity ecosystem. When I came up with the Cyber Resilience Framework (CRF), I admonished myself for creating yet another framework related to the cybersecurity community. There are plenty out there and it quickly becomes an alphabet soup. Then I trended back the other direction. Cyber Resilience represents a distinctly different thought process and encompasses much more than the scope of the standard cybersecurity frameworks. You may be thinking that most standardized cybersecurity frameworks already address resiliency. I agree. They do. Unfortunately, the frameworks themselves tend to stay buried in the cybersecurity function as a tactical tool. They do not natively enable broader engagement with the business.
The CRF is a wide ranging framework that interfaces with Enterprise Risk Management (ERM) influencing through Cybersecurity Risk Management (CRM). It includes governance, architecture and solutions, all the way through operations. It is intended to advance the concepts of resilience throughout the organization, particularly the technology function. The CRF is based on four foundational pillars:
1. Design components and systems to be difficult to attack
2. Minimize the impact when the attack comes
3. Allocate resources proportional to the importance of the assets being secured
4. Continuously deliver critical capabilities to the business
This post is not meant to be a criticism of standardized cybersecurity frameworks. I believe them to be invaluable and are responsible for a heightened maturity level of cybersecurity practice wherever they are adopted. Further, virtually all of them contain components that guide practitioners to a more resilient stature. Overall, standardized cybersecurity frameworks such as the NIST CSF, ISO 27002, COBIT, HITRUST, and others are a good place to start for organizations that are finding their footing when it comes to cyber risk. These frameworks provide solid guidance and address the 80/20 rule for most organizations. I believe cybersecurity professionals need to understand the intricacies of the businesses they serve to fully anticipate potential risk scenarios. By design, standardized frameworks are generalized and therefore do not address this need.
Using the NIST CSF, let’s look at some examples of cyber resiliency reinforcing principles. I am declining to cover the obvious examples that are the functions of “Respond” and “Recover.” These functions contain the vast majority of the traditional concepts related to Business Continuity (BC) and Disaster Recovery (DR), which have long been associated with resiliency. I will note that the use of automation in the Respond and Recover functions will provide you a decided advantage when addressing the four foundational pillars. Let’s discuss two examples of cyber resilience contained elsewhere in the NIST CSF.
Category: Asset Management.
Sub-Category: ID.AM-5 – Resources (e.g., hardware devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
This concept reinforces CRF Foundational Pillar #3. Not all data systems are created equal. If your business holds customer data, payment card data, or research and development outcomes of your organization’s next product, the security controls applied to these systems and their corresponding network architecture need to be the most robust you can muster. On the other hand, if you are holding public website data or queued social media posts, your security controls and level of effort should be dialed down according to the lowered criticality of the data. This concept also means that you need to know where your data sits and its level of criticality. Utilizing this sliding scale of protection vs. criticality allows you to focus your security budget, avoiding the costly “one size fits all” approach.
Category: Security Continuous Monitoring
Sub-Category: DE.CM 1-8 (All)
The concept addressed by this category is simple: if you don’t perform monitoring on all your devices (network, server, endpoint), you are running blind. It is extremely difficult to respond to an event that you had no idea ever took place. In the not too distant past, this meant blowing your security budget on expensive tools and high priced talent to run them. This is no longer the case. There are developments in security tools that provide them multi-tenant capabilities and an entire ecosystem of service providers embracing these developments. You have the ability to go to market to seek monitoring services that are highly cost effective with a high level of customer service.
Cybersecurity frameworks are important and can be critical to your success. But you have more to do. You must reach into your organization and understand how it operates. This understanding allows you to prioritize your risk response and focus your budget accordingly. Don’t fear reaching outside the norm to explore services that support your cyber resilient posture.