As we know cybersecurity has been a hot topic in the recent years from various start-ups to an increase in data breaches! In today’s world, it’s quite accurate to say that cybercrime has quickly become a very lucrative ecosystem that is evolving at such an advanced pace that we struggle to keep up with it. It’s important to note that we cannot fully secure our environments from cyber threats, but we can reduce the risk and set our appetite for cyber risks, so that we invest appropriately and strategically in cybersecurity solutions and frameworks.
Often, I find that there is a disconnect between boards/senior executive and IT security teams. This disconnect has in the past lead to misunderstandings between IT security roles and responsibilities and expectations from the business.
IT security teams are expected to protect the organisation from cyber threats which the operational/front line may introduce into the internal network for example, staff following instructions on a phishing email and not aware that it’s a phishing attack, and as a result this could lead to a breach and several other issues.
This disconnect or misunderstanding between IT security and the board/senior executives is due to several different reasons; poor organisational culture, lack of awareness/training amongst the organisation and weak or lack of an effective cybersecurity framework.
There are several ways to tackle these challenges, particularly organisations who have the capacity and financial advantage to have a Chief Information Security Officer (CISO) including security teams and/or Data Protection Officer (DPO).
The CISO can be the leader and main driver of this change by creating awareness at the board and senior executive level. This can be done in several ways including implementation of a cybersecurity framework and understanding where the current cybersecurity profile or posture is at.
The DPO can also assist in this process by providing an overall understanding and a deep view into how the organisation is handling data, storing data including the sensitivity of the data. This piece of work is often known as data mapping which is a great starting point before investing or implementing a cybersecurity solution and framework.
For small to mid-size organisations who do not have the same financial advantage as large organisations can choose a staff member internally to carry out the role of a DPO and can resort to using CISO as a service, which has huge advantages for smaller sized companies.
It is also important to create training and awareness campaigns across your organisation regularly. This helps cybersecurity stay front of mind of all staff without just a reliance on IT alone, and when you couple awareness/training into a way which is relevant and beneficial for each business unit you have a higher chance of gaining interest from staff.
Another key element is creating a data breach response plan or cyber security incident response plan, ensuring that it is line with your current business continuity plan and crisis management plan it can help any organisation be successful in managing a cyber security breach. It is also very important to test this plan regularly to ensure that it is accurate and has a connection with your business continuity plan and crisis management plan. This will not only heighten awareness but will also help you comply with various data breach regulations like General Data Protection Regulation (GDPR) and the Australian Notifiable Data Breach Scheme (NDB).
Many companies also choose to follow and implement ISO/IEC standards particularly 27001 to help integrate an effective cybersecurity framework however sometimes this standard can be used as a tick the box exercise to gain certification or satisfy the board/senior executive needs. To enable organisation wide cultural change, it is important to not only implement an effective cybersecurity framework but to ensure that all staff are knowledgeable of it, have the right training and awareness to become a successful first line of defence.
In my opinion using the ISO/IEC 27001 only is not going to be the best solution, however, when you use the standard together with the NIST Cybersecurity Framework (CSF) you may be more successful in implementing an effective framework solution. Some may think that the NIST is not as comprehensive or as effective as the ISO/IEC 27001 standard however I beg to differ. They are both very effective tools if used in the right way because they are both technology neutral (which is what you want) as this makes it easier to implement and mould into any type of organisation regardless of what your technology landscape looks like, they are both based on risk management and you can utilise them both to help spread awareness from the board/senior executive to the operational front line.
There are some key elements in the NIST CSF not covered in ISO/IEC27001 for example:
- Framework Core which guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management process. The Framework Core comprises of Identify, Protect, Detect, Respond and Recover;
- Framework Tiers guide organizations to consider the appropriate level of accuracy for their cybersecurity program and are often used as a communication tool to aid discussion for risk appetite, priority, strategy and budget. The tiers range from Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, Tier 4 Adaptive;
- Framework Profile is the form of a unique alignment of organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. This is where you bring together your business objectives, cyber threat analysis and results, requirements and controls to produce a comprehensive cybersecurity profile or posture. The reason why you want to create a view of your cybersecurity profile or posture is to help optimise your framework into your organisation in the best way possible.
I think the use of the NIST CSF is a great way to set what the minimum requirements should be for your organisation and potentially other clients/suppliers/vendors. The NIST CSF framework is also quite easy to follow and will help the board/senior executive all the way through to IT staff/engineers understand the framework requirements which helps with implementation and understanding security control gaps.
There are also some things in the ISO/IEC 27001 which are quite useful that the NIST CSF doesn’t provide. These are:
- Companies can become ISO/IEC 27001 certified;
- It’s an internationally recognized & accepted standard;
- Focus on protection of all types of data not just data on IT systems;
- Defines what records and documents are needed as minimum requirements.
Due to the differences and benefits between both the NIST CSF and ISO/IEC 27001, you don’t need to necessarily just use one set of standards/framework because any organisation can benefit from using both in different ways like using ISO/IEC 27001 for the specific design of your cybersecurity/IT environment and using the NIST CSF for risk management and implementation of cybersecurity controls. All of these elements will help you achieve a cybersecurity framework and solution which best suits your organisation.
This article on Cybersecuirty and risk management was authored by Tulin Sevgin. If you want to sponsor or contribute an article please reach us at firstname.lastname@example.org
Author Details :
Tulin Sevgin, Cyber Risk Lead,