In today’s evolving world, the need for agility and the ability to pivot in the right direction is an absolute necessity for any business to succeed. Distributed Denial of Service, Malware, Phishing, and other intricate cyber-attacks pose significant threats to every organization. At the same time, many organizations have taken a forward-leaning approach to developing strong cybersecurity programs. Others have not or are still in the early development phases. The successful cybersecurity programs have accomplished this task by implementing one or a blend of risk-based determination frameworks and migrated away from a Compliance Checklist.
Framework over Compliance Checklist?
Compliance Checklists are not bad things to use. They are ideal for situations or areas where the answers tend to be yes or no (black and white). Compliance checklist begins to lose value when you start to approach that sweet spot known as the “grey area.” Regardless of your industry, the failure of a compliance audit is never fun. However, a compliance audit only determines if you are meeting the requirement on the checklist.
For example, my organization aims to reduce our electricity usage by 20% over the next year. To reach the goal, we establish a beginning/end of day checklist for our employees to complete for their respective offices. The list asks what time the lights are turned on and turned off daily. Information is then collected via beginning/end of day checklists to show lights are off. We find between the hours of 5:30 pm to 5:30 am, lights are turned off consistently, yet we see no change in our electric bill. We’ve met the intent of the checklist and did not see any results.
The Compliance Checklist falls short in the area of intent. A checklist doesn’t encourage an individual or organization to drill down into the 2nd, 3rd, or 4th layers. The objective was to reduce the cost of electricity; following the compliance checklist did not provide the desired result. Compliance Checklists leaves us with limitations and reduces us to check a box.
Implementing a framework will allow an organization to develop a well-rounded program consisting of appropriately implemented controls that are continuously monitored for effectiveness. Using the example in the previous paragraph, using a framework will include continuous monitoring or test plans to validate the efficacy of turning off the light daily by checking energy costs monthly and evaluating trends. A framework will highlight why the organization is not getting the desired results and afford them the ability to tailor or remediate the action sooner to obtain the desired result.
In 2017, the U.S. Government made it mandatory for all government entities to implement a cybersecurity framework to protect their information systems and networks. The National Institute of Standards and Technology (NIST) has published several publications on Cybersecurity Frameworks. Alternative frameworks by organizations such as the International Organizations for Standardization (ISO) and ISACA, to name a few, can assist an organization to be able to go beyond meeting the points on a Compliance checklist.
Collaboration and Documentation
Cybersecurity policies, procedures, and plans have far-reaching implications, both directly and indirectly, to its other functionals. Excellent cybersecurity programs have buy-in and collaboration from senior leadership, program management, and the various functional organizations. We must remember, for Cybersecurity to be successful within an organization, all members must be participatory. When collaborating on the implementation of controls, valuable perspective, and appreciation for one another’s function is gained. Collectively accounting for compliance requirements, business continuity, risk mitigation, and cultural factors mitigate the organization’s ripple effects.
Documenting roles, responsibilities, procedures, and practices ensure everyone is on the same page when it is time for them to perform. The better an organization documents, the easier it becomes to promote continuity, muscle memory, and swift action. One thing to remember about documentation is that proof of a policy is suitable; proof of implementation (known as artifacts) is better. This is what the framework is all about. During the monitoring phase, the compelling evidence or artifacts will determine the success of the implemented control.
Responsibility and Accountability
After the collaboration and documentation, it is vital to identify who is responsible and accountable. Placing ownership for aspects of the cyber program on the senior leader promotes a culture of accountability from the top of an organization to the bottom. No one should be exempt from doing their part. Every functional organization will play a role.
Monitoring
Monitoring is essential to the success of the framework. In the world of Cybersecurity, the one constant thing is change. Monitoring your controls, roles, responsibilities, procedures, practices, and documentation regularly helps the organization determine the implemented control’s effectiveness. Monitoring is ongoing, consisting of various checks, weekly to annually. The intent is for every control, policy, and procedure to be documented. The process is to be reviewed at a minimum of annually. A monitoring plan, with a detailed report showing pass/fail, the action is taken, and the artifact should be established and executed. Today’s threat will not look the same tomorrow, so it is imperative that you are ready and can adjust accordingly.
Community Involvement
When navigating the framework waters, know that you are not alone! There is a vast community of experienced professionals and organizations available that are willing to help. Networking is key. Every cybersecurity member on your team should be a part of one, if not all, of the following organizations: International Information System Security Certification Consortium (ISC2), ISACA, or InfraGard. These organizations and their teams are always up on the latest threats and trends.
Should your organization need support implementing your Cybersecurity program, contact us. Our team of professionals is prepared to support you.
