As we discussed in a previous post, being resilient to cyber-attacks and cyber failures is one of the four major goals of a Cyber Risk Management Program.
The best way to meet that goal is to organize your cybersecurity program so resilience is a top priority.
I suggest you do that by following these steps:
- Select a suitable high-level model or framework;
- Select controls that explicitly support cyber resilience and satisfy your customer’s information security requirements, your compliance mandates, and supports executive decision making;
- Then, measure how well you’ve implemented these controls as a basis for operating and improving your cyber risk management program.
Let’s walk through the first step now. I’ll cover steps two and three in later posts.
Two Useful Frameworks
For the rest of this post, let’s look at two specific frameworks that emphasize cyber resilience.
As you’ll see, there are a lot of similarities between the two.
NIST Cybersecurity Framework
Previously, I’ve written about the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Refer to blog posts, You Need to be Cyber Resilient and Where to Get Your Cybersecurity Controls.
To recap, it has five high level functions:
- Identify, means to develop the organizational understanding to manage cybersecurity risk
- Prevent, means to develop and implement the appropriate controls to stop cyber-attacks from happening
- To Detect is to know when a cybersecurity event happens
- Respond means to take action on a detected cybersecurity event
- And Recover means to restore all capabilities and services that were impaired due to a cybersecurity event.
This CSF has a lot going for it and would make an excellent choice for almost anyone:
- It’s free to use.
- It’s popular in the U.S.
- It was created by a cross-functional team of experts from private industry.
- It gets regular updates.
- You can tailor it to fit your unique needs.
- The framework is useful across a wide range of industries and organizational sizes.
Through my company, Cyber Risk Opportunities, we’ve used it successfully with a $2 million, local nonprofit, a $1 billion global company, and several others of various sizes and industries.
The Gartner Model
Now, let’s look at another Cyber Resilience Model.
This one is from Gartner, the international IT research firm.
It has four high level functions:
- Gartner defines Predict as proactively learning about attacks and failures and using that information to inform the work of the next three functions.
- The Prevent function consists of things you do to prevent cyber-attacks and failures from causing harm to your organization.
- Detect means finding attacks that have evaded your preventative measures; and
- Response means to contain and remove the threat and then recover from it.
If you are a Gartner subscriber, adopting their model would make a lot of sense:
- You would inherit the credibility of this independent research company
- And the rest of the Gartner tools and resources are already aligned to it
- Their model has a second level of categories that you can use to organize and guide selection of the specific controls you need
- And for that you could use NIST 800-53, ISO 27001, or one of the other sources we looked at earlier.
Which One?
If you’re not a Gartner subscriber, it’s probably not worth the cost to become one just to gain access to their model.
Instead, you can adopt the NIST Cybersecurity Framework and then select from all the 98 included controls.
Note, with the NIST option, you could map each CSF outcome to the specific International Organization for Standardization (ISO) 27001 controls. So, with a little more work, you can also pursue ISO 27001 compliance, if you wanted.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.