Business Security

Cybersecurity is a process, not a one-time solution

Glenn Taylor, 20 September 2016

Effective cybersecurity addresses 5 core functions in a holistic manner which evolve with the threat environment.

Digitization – the use of social, mobile, analytics, and cloud technologies to generate, process, store, and communicate data – is transforming everything, with profound implications on how we learn, work and play.

“Digital transformation is not just a technology trend, it is at the center of business strategies across all industry segments and markets,” stated IDC.

This emerging anybody / anything / anytime / anywhere connected world, also known as the internet of everything (ioe), requires a holistic approach to protect the people, things and processes and all the data they create from intentional and unintentional harm. A holistic approach involves all aspects of cybersecurity – not just people, products, and processes, but also the five critical functions necessary to make security effective on an ongoing basis: Identify, Protect, Detect, Respond and Recover.

Developed by the US Commerce Department's National Institute of Standards and Technology (NIST), the five functions – further broken down into 22 categories and 98 subcategories – provide a framework for building an effective approach to cybersecurity:

Identify. Develop the institutional understanding to manage cybersecurity risk to organizational systems, assets, data, and capabilities, i.e. Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy;

Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services, i.e. limit or contain the impact of a potential cybersecurity event;

Detect. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event; i.e. enable timely discovery of cybersecurity events;

Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event; i.e. contain the impact of a potential cybersecurity event; and,

Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event; i.e. timely recovery to normal operations to reduce the impact from a cybersecurity event.

According to Gartner, the NIST framework is used currently by 30 percent of US organizations, growing to 50 percent by 2020. Key reasons for adopting the framework are: aligning with cybersecurity best practices (70 percent); business partner requirements (29 percent); and federal contract requirements (28 percent). 

The framework’s adoption is being hampered by costs, according to a recent report, which identified it as an industry best practice, but with a complete implementation involving a higher level of investment. Most organizations (70 percent) view NIST's framework as a security best practice, but 50 percent see the high level of investment that it requires as a barrier to adoption. While 84 percent of organizations have at least one security framework in place, 64 percent are using part of the NIST framework and not all of the recommended controls due to the cost and lack of regulatory pressures, and 83 percent of those planning to adopt the NIST framework in the coming year say they will take a similar approach, adopting some and not all of the CSF (CyberSecurity Framework) controls.

A much more positive picture was painted by Intel, which was actively involved with NIST and CSF from the beginning (February 2013) and ready to pilot at release (February 2014). Key learnings included:

  • The CSF fosters essential internal discussions about alignment, risk tolerance, control maturity, and other elements of cyber risk management
  • Its alignment to industry practices made it easy to scale and tailor it to the company’s environment with surprisingly minimal impact

Cybersecurity never sleeps

New attacks and vulnerabilities occur every day, and relying on keeping everything out forever is wishful thinking. The bad guys only have to be right once to win; the good guys have to be right every time just to stay in the game.

That doesn’t mean the situation is hopeless. Effective cybersecurity is a practical reality today, with the appropriate mechanisms and means in place. A holistic approach, one that combines everything and everybody, including proven partners, and adapts to the changing threat environment, can keep you and your organization secure.

In part 2 of 3 we’ll take a closer look at the threat environment, and how internal and external factors can impact – if not cripple – an organization.