Developing your Security Program: Part 4 — The practical components of a Cybersecurity Program
In part three of this series, we discussed the puzzle pieces that make up a potential cybersecurity program and that depending on the size and scale of the organization, the puzzle pieces might come in different shapes and sizes; some might also lay in the areas of responsibility of other leaders. Part of the role of the leader is not to ensure that all the puzzle pieces are there or even under your control, but instead that the correct elements are in the right size.
The National Institute of Standards and Technology (NIST) has created several frameworks for using State and Federal government, which can also be used in private industry. I bring NIST SP 800–37 (REVISION 2, RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS) in this series to point out that you will likely need to use multiple frameworks in your program at the same time, as some frameworks focus on different levels of the organization. The below excerpt from NIST 800–37 shows that you might have some which might be focused on the organization level, while others are used at the lower level, such as for information systems. This part focuses on the practical components of a cybersecurity program, as with many things in life, the ability to start with a framework that helps guide you on how things could function together, in this example.
As we look at the components below, we will notify the potential for them to interact with high-level frameworks, but many of these are focused on the lower level. Note that the significant sections within the framework are governance and management; many information security programs have a hand distance separations from the operations teams, which allows them the independence to challenge the activities of operations and impose controls or limitations. However, there is a changing trend: integrating security teams, components, and management as functional partners in the business and working directly with the teams. Many DevOps or DevSecOps environments have security resources embedded directly into their teams, allowing them to see the inefficiencies of controls and areas to help the teams securely optimize operations. You do not have to keep the components in a silo.
This framework example is set up similarly to the NIST CSF (Cybersecurity Framework), in which the functions are broken out and grouped into Identify, Protect, Detect, Respond, and Recover. (SEE BELOW) The management and governance of each of these areas can become a project and area for mastery. As you might note, the organization heavily focuses on protection in the above example. While many rely on their business partners in operations, IT, or the business to help with the identification component of the CSF Framework, it is the foundation for the rest of your program. As a great partner, you would want to help with that phase as well, as it will multiply the effects on the ability of your schedule to function effectively.
Many organizations have focused on the project phase of the CSF framework. In contrast, core components of the Identify phase, like Asset Management, Risk Assessments, and Risk Management Strategies, have not been shored up yet. Even with a significant identification and protection program, it should also be noted not to overlook your ability to respond and recover. While many organizations have claimed that they can do those functions, the rampant climb in ransomware has demonstrated that struggling to respond and recover will lead to the death of the business.
In the next installment, we will focus on the triangles of compliance and controls.
If you have questions about becoming the security leader you desire to be and how coaching can help you, reach out to me at https://cpf-coaching.com