When developing a security strategy, understanding threats, capabilities, controls and risks are all critical to a successful plan. A leader may choose from many standards to help them on this journey; but where do they begin? A mature, industry-accepted framework is a good place to start, and the NIST Cybersecurity Framework (CSF) meets those requirements. The good news is that many of the standards bodies are cross referenced, so mapping to another standard is possible. The NIST CSF standard provides a seven-step process which addresses: defining the scope, control maturity, assessing risks and developing a plan of actions. Keep in mind that defining the right scope is integral to successful and meaningful results. If this is the first time executing a NIST CSF, start small and meaningful, possibly with a finance system or company website. Far too often, security leaders are pressured into expansive scopes for their first alignment efforts, which tends to lead to unexpected hurdles.
Now that you have aligned on a framework, the next step is to determine what standard will be used to assess your environment. For example, if assessing Operational Technology (OT), ISA/IEC 62443 is an appropriate standard, whereas NIST SP 800-53 is suited for Information Technology (IT) environments. Each standard can be situationally applied to the environment being assessed. This step can be the most challenging for beginners, especially if this is a self-assessment. This step requires scheduling time with the various subject matter experts and the ability to properly interview the experts. Be honest when assessing a control, if it is “in the works,” this is not fully deployed in the scope of systems. Once completed, the security plan can be leveraged in other assessments.
Once the maturity of the controls is understood, how do you determine what to work on? To answer this, there needs to be a clear understanding of the risks facing the company and scope of systems assessed. This is the risk assessment step of the NIST CSF process, where the threats are analyzed for likelihood, probability, and impact. For example, the threats of a standalone scheduling application are different from an online banking application. As such, the risks and compensating controls are also different. Like the previous step, there are multiple standards and methods of performing a risk assessment. NIST SP 800-30 is one risk assessment methodology and Factor Analysis of Information Risk (FAIR) is another. FAIR has the benefit of communicating risk in financial terms and NIST SP 800-30 provides a straightforward process to quantify risk. Alternatively, adding financial impact to NIST SP 800-30 achieves both. Once the risks are assessed, there will be a clear picture of what threats may need to be addressed in adherence to the risk tolerance of the company. This list is the Plan of Actions and Milestones, or POAM. POAMs are a great way to formally track the aspects of correcting cybersecurity related issues, so that different levels of interested stakeholders can understand that there is a plan with identified actions to take and milestones with which to measure the progress.
Having a solid assessment framework, effective control standards, and a risk assessment methodology are all required to effectively develop a defensible security strategy. There are many other uses for these tools. A new security leader could use these methods to understand the capabilities of their new team, whereas a seasoned CISO may use the framework to objectively measure the progress towards execution of an existing strategy. It is also common for CISOs to use the framework to communicate cyber maturity to their Board of Directors. Taking the results of the assessment alone can be enlightening, but when compared to peers or other companies in the same vertical, they can be very useful for selling a message.
How else can your identified and selected frameworks and assessment methodologies be used to advance a security organization? The organizationally adopted frameworks and methodologies can be used in concert with other referenceable works, such as the MITRE ATT&CK framework, to better understand the ability of specific attacks. Additionally, they can be used to potentially answer the questions around ransomware readiness or even the development of a data protection strategy. Overall, these powerful enablers can assist the security leader in many different aspects of the organization and other lines of business.