What do we do about Cybersecurity?

An illustration of the Target credit card data breach

An illustration of the Target credit card data breach

We all know that our computer systems are not really secure, especially when connected to the Internet.  So much is being written about the need to improve and guides to get started (i.e., DHS, FCC, SBA, Stop Think Connect, etc.).  Most of these programs inform you of what needs to be done, but not how to do it.

What I want to do is to identify some specific steps and considerations for “how to do it”.  Since the “how to’s” for cybersecurity improvement can’t be condensed down into a single blog post, it looks like this will become a series.  The best thing to do is to get started!

Start (part 1)

The use of a Risk Management approach is an excellent way to measure and manage cybersecurity risk in harmony with your other business risks.  The place to start is the NIST Cybersecurity Framework (CSF), here is the link to the PDF.  I used the Cybersecurity Framework when it was first published in February 2014 to start a discussion with our CEO and Board of Directors. It was the first time that they understood, more than superficially, why cybersecurity is important to our company and what it meant to provide cybersecurity protection.  In fact the ensuing discussion about what were our critical assets (data), what were the threats, and what our strategy should be for protecting our critical information transformed our approach to business.  The following is a nice summary video “NIST Cybersecurity Framework Explained” from rapid7.

The NIST Cybersecurity Framework suggests the following steps to create or improve a cybersecurity program:

  1. Identify and prioritize your critical assets (data), and the systems that process it.
  2. Identify and prioritize threats to your critical assets and systems.
  3. Create a current Framework Profile – which Category and Subcategory outcomes are currently being achieved.
  4. Risk assessment – analyze operational environment to discern likelihood and impact of cybersecurity events.
  5. Create Target Framework Profile – describing the organization’s desired cybersecurity outcomes.
  6. Determine, Analyze, and Prioritize Gaps.
  7. Implement Action Plan.

While these steps sound easy, there are challenges with differing terminology, definitions, value assessment, expectations, and lack of measures and metrics that are identified in trying to create your CSF Profile.  We have found that as discussions proceed, clarity and consistency improvements spread through the organization.  This clarification activity alone will contribute to improved cybersecurity posture.

Once this baseline is established, part of the implementation should be the defining and collection of metrics that will be used by the organization to re-assess their cybersecurity risk by repeating the steps with updated metric and changing business and threat environment information.

There are several key problems in actually implementing the Framework:

  1. Most organizations have not identified and prioritized their critical assets, thus the data is strewn across the organizations infrastructure.  This is like using a bank in which their employees store all of the bank’s money in their desk drawers and filing cabinets. It’s distributed, but not very accessible or secure, and you have to secure everything at a high level, which is not cost effective.
  2. Most small and medium sized businesses think they are too small, or don’t have anything of interest.  Wrong – every organization is a target to someone.
  3. Risk assessments may not be typically expressed in terms of dollars.
    • What are the costs to your business if the threats were successful in obtaining your critical assets?  Could you stay in business?
    • How much is the business willing to spend to prevent the Cybersecurity Risks?  In other words, how much are you willing to spend in prevention, or risk transfer, while retaining a viable business model?  This may set the upper limit for your cybersecurity budget, including cybersecurity insurance.
  4. How do you measure the effectiveness of the cybersecurity program or outcomes (steps 3 and 5)?
    • If you can’t measure, how do you know if you improve or not?
    • How do you know if you are measuring the right things?
    • Who knows of any consensus standard metrics?
  5. How do you respond to all of the alerts and indicators you receive from the array of security tools that have been deployed in your organization?  For almost every breach documented, there were indicators that the organization missed.

In the next few posts, I’ll share some “how to’s” for identifying and prioritizing your assets and threats, creation of your current profile and risk assessment, creation of your target profile, gap assessment, and action plan.  I’ll conclude this series with how to tie all of this up into an integrated operational process, with automated support solutions, and how to take the subsequent steps towards continuous cybersecurity improvement.

In a preview of the solution, Rofori is a real-time collaborative continuous Situational Awareness (SA) process management system for cybersecurity. Rofori provides real-time continuous management and assessment against the NIST Cybersecurity Framework, thus providing organizations insight into their cybersecurity posture based on continuous monitoring activity across time and in turn, measure cybersecurity improvement.

Rofori Brings  Process Control to Continuous Monitoring within the NIST Cybersecurity Framework

Rofori Brings Process Control to Continuous Monitoring within the NIST Cybersecurity Framework

David

Advertisements

Welcome to “The rofori Effect!” blog

rofori in use on smartphone, tablet, or Laptop computer.

rofori viewer - designed for mobility

This is the official blog for rofori®. In this blog, we would like to provide information about team communications and making a team effective through communication.  We would also like to discuss interesting aspects of the technology we use and pertinent industry topics.

So, what is “The rofori® Effect” and why have we used it for the name of this blog?

Well, when one of us would describe to someone how you could use rofori® and the benefits you could get from it, most often at some point in describing different ways people could use rofori® for their groups that were business, professional, or personal oriented, their face, voice, and level of excitement would suddenly change and you would instantly know that they “got it”.  I can only describe the change in the participant’s demeanor as ‘the delight of discovery’.

As we would describe the conversation to brief the other members of the rofori® team, Will came up with the term “Ahhh, the rofori effect”.  That statement represents the moment that the person ‘got it’, and the change in excitement that results in people winding themselves up about new possibilities of disruptive change.

My hope for this blog is to be able to communicate at least some of the possibilities and excitement that we have as a result of learning what rofori® can do for us!

To find out more, please check out the rofori.com web site and review the Introduction and Ways to Use rofori videos.

Thank you for your time and interest!

Sincerely,

David