Trying to understand all there is to know about cyber threats and cybersecurity can be daunting. However, you can begin to address the challenges by changing the way you look at the issue: Keep it simple, adopt a framework you can understand, and start with the basics.
One structure that works well for both technical and non-technical managers is the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, aka the “NIST Cybersecurity Framework,” or the “NIST CSF.” It works well because it uses a common language to address and manage cybersecurity risks in a cost-effective way based on business needs.
The framework describes an entire cybersecurity program in terms of five basic functions:
- IDENTIFY the assets that need to be protected and the risks associated with those assets
- PROTECT those assets by establishing physical, logical and administrative controls
- DETECT when an asset is compromised or under attack by monitoring established controls
- RESPOND when an asset is compromised by adhering to a prepared and practiced plan
- RECOVER IT and business operations in an orderly, prioritized manner by adhering to a prepared and practiced plan
The Basics: Know what you are protecting
It may seem obvious that you can’t have protection until you IDENTIFY what you are protecting, but you might be surprised how many security organizations have not actually identified what they secure. Asked about security, they will talk about technical aspects and how much they have invested in security products. What they don’t mention is exactly what they are securing, and this is where you should start. Ask yourself the following questions:
- What are the information assets you must protect? They could be data assets: Personally Identifiable Information (PII), Personal Health Information (PHI), intellectual property, trade secrets, etc. They could also be business processes, such as an automated shop floor in manufacturing or package movement in a fulfillment center. The important thing is that these information assets can only be fully discovered and classified (by criticality, risk, sensitivity, etc.) by data and process owners – not IT or security people – playing a part in the IDENTIFY process.
- What are the hardware, software, operating system and network components associated with the data and business process assets that you have classified as high priority? When fully documented and combined with the data assets from question 1, this becomes your asset inventory and the foundation of your information security program.
- What are the risks associated with the assets in my inventory? A thorough risk assessment must be done initially and periodically to ensure that all relevant threats and vulnerabilities are constantly being managed.
With these basics in place, you know exactly what your critical assets are, understand the risks associated with them, and can now build appropriate physical, logical and administrative controls to PROTECT them. By monitoring those assets and the controls, you can DETECT when something may be amiss, and quickly RESPOND and RECOVER.