How to Build a Cybersecurity Risk Management Framework

When our country’s businesses are safe, our nation is safe. That’s the message that former President Obama gave when he talked about his executive order on “Improving Critical Infrastructure Cybersecurity” in his 2013 State of the Union address. Just a year later, the Obama administration launched the “Cybersecurity Framework,” which is a guide on enhancing cybersecurity developed by the private sector.

The cybersecurity infrastructures of our country’s businesses support national efforts toward economic security, public safety and health safety. The infrastructures of cybersecurity also affect our businesses’ bottom lines, profitability margins and reputations.

Regardless of their risk profiles or size, all companies should build a foundation of cybersecurity risk management based on good business principles and best practices.

Getting Started on a Risk Management Framework

There are many aspects to running a business. The issue of cybersecurity doesn’t usually make the top 10 list of priorities unless a problem rises to the surface that companies can’t ignore. At best, cybersecurity is often a knee-jerk reaction to a problem or new regulation. At worst, it’s an afterthought.

In today’s corporate world, companies need a well-thought-out, strategic plan for cybersecurity to protect themselves and everyone else from potential sources of harm.

Like any complex, multifaceted project, the hardest part of creating a risk management framework is getting past the feeling of being overwhelmed and just getting started. The easiest way to do that is to start out with a basic list.

List all of the tasks that need to be done to create the framework. Adding some items will spark ideas for even more tasks. Once you have a list, it should be pretty easy to see which ideas fall into similar categories or departments. Divide them into categories to make things a little more manageable.

Next, think about what resources you will need to implement the tasks. Will you need to purchase equipment? Will you need to hire additional employees? Does the infrastructure require instituting new policies or procedures? What kind of budget will support your efforts? The answers to these questions will add a few more items to your “to do” list.

Expect obstacles and challenges to come your way as you design your cybersecurity framework. Be aware that potential threats are complex and interconnected. Emerging problems may slow down your progress, but they’ll also give you new opportunities to bolster your cybersecurity planning. It’s also possible that new technology could emerge during your planning, and that could also be an asset.

Financial advisory firm Crowe Horwath recommends including the following five attributes in cybersecurity risk management frameworks:

1. Effective framework
2. End-to-end scope
3. Risk assessment threat modeling
4. Proactive incident response planning
5. Dedicated cybersecurity resources

National Institute of Standards and Technology (NIST) Model

Companies understand that they need to improve risk management from a cybersecurity standpoint. They’re also learning more about the components that go into a cybersecurity risk management framework. Until recently, no company had a model to follow. The National Institute of Standards and Technology (NIST) helped to solve that problem be developing the “Framework for Improving Critical Infrastructure Cybersecurity” as a guide for all types and sizes of businesses.

NIST’s guide encourages a framework where everyone speaks about cybersecurity and risk management using the same language. NIST recommends using extensive collaboration with all areas of the business to get clarity about the current state of cybersecurity efforts. The initial vantage point becomes the basis for identifying strengths and weaknesses, evaluating processes and tools, and examining internal and external communications processes.

NIST recognizes that basic frameworks must continually be evolving because of the rapid rate of technological changes of today. In fact, they are in the process of revising the 2014 “Framework for Improving Critical Infrastructure Cybersecurity” to keep it updated and useful as a practical guide.

In their guide, NIST gives corporations specific ways to break down core functions into categories. The five core functions are:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Taking these categories a bit further, NIST subdivides them into 22 more subcategories. What’s even more helpful is that the framework offers suggestions for building task lists and forming a baseline for measuring progress. Another step in NIST’s process is to establish a dollar figure on the amount of assets the company could lose.

NIST recommends that companies tailor security controls to their business functions, systems and operating environments.  This step requires incorporating regulations, emerging threats and technological advances. If it appears that updating and reworking cybersecurity systems is becoming cost-prohibitive, NIST says that companies should strive to find a good balance between developing the best cybersecurity efforts possible at the most reasonable and affordable cost.

Just as companies take stock of their cybersecurity processes at the onset of the process of building a cybersecurity risk management framework, it’s just as important to perform a layout of all the newly added security controls and processes. Stepping back and taking a bird’s-eye view helps companies to make sure the plan is comprehensive and that managers implemented the intended tools and processes as planned.

The newly formed framework will aid companies when they audit and analyze the cybersecurity framework in the future.

Companies will see the true impact of the new framework once it has had some time to work in real time. Managers and board directors will need to monitor the new infrastructure carefully. The system may require some tweaks and adjustments, especially in the beginning. As the business environment evolves, security measures will need to evolve with it.

Shifting From Reactive Measures to a Strategic and Proactive Cybersecurity Framework

Not knowing where to begin simply can’t be an excuse for doing nothing. It’s perfectly okay not knowing exactly what to do in the beginning. Most companies find that once they start moving toward building a cybersecurity risk management framework, there’s no stopping them. The truth is that one size does not fit all anyway. It’s far better to start moving in some direction and learning as you go, rather than getting stuck in “analysis paralysis” and doing nothing at all.