- Joseph Granneman, Illumination.io
The development of new cybersecurity frameworks has increased dramatically over the past few years. It wasn't too long ago that the choice of frameworks was limited to NIST Special Publication (SP) 800-53 or the International Organization for Standardization (ISO) 27000 series. There are now a multitude of potential options that can range from general security requirements to detailed controls for specific industry verticals. Many frameworks are still available for free, while some have moved to subscription fees and expensive certification programs. Frameworks have evolved to fill the niche requirements of any organizational security program.
The wide range of available options could make it difficult for any CISO to select a framework for their security organization. However, the deciding factors are not usually technical in nature. Most of these new cybersecurity frameworks have common controls and technical requirements. The biggest differences involve how the frameworks can be integrated into overall business goals and communicated to organizational leadership. These are the deciding factors that CISOs often use to determine the cybersecurity framework for their security programs.
Two experienced CISOs from different industry verticals offered their view on how CISOs are currently selecting and utilizing cybersecurity frameworks. Paul VanAmerongen represents UW Health, a large nonprofit healthcare organization, while Michael Wilcox is a former CISO who has previously represented a publicly traded global manufacturing company. The organizations they represent couldn't have more disparate business models and technology needs, yet both CISOs approached the selection of a cybersecurity framework for their security program in a similar way. There was a common focus on integration with business goals, program metrics and communication with leadership.
A framework that fits the business
The business of healthcare is in the midst of a massive transformation. This industry had to be incentivized by the government in 2009 to invest in converting their records from paper to electronic form. This drove cultural changes and large increases in spending on information technology. These shifts in technology spending unfortunately coincided with dramatic changes in healthcare reimbursement, driving down revenue. This is the cultural reality that most healthcare CISOs are navigating, and it directly influences the choice of cybersecurity framework.
VanAmerongen explained that the NIST Cybersecurity Framework is becoming popular with many healthcare providers as it is freely available and easily communicated both up and down the organization. It can be easily combined with more detailed frameworks, like NIST SP800-53, and with HIPAA regulatory compliance requirements. The HITRUST Cybersecurity Framework requirements can be referenced where additional detail is required. However, the costs of certification can make HITRUST a more difficult proposition for healthcare provider organizations to fully adopt.
Wilcox described how a publicly traded organization with global operations faces completely different challenges. The highly competitive manufacturing market is driven to reduce costs to maintain profit margins. Technology was adopted much earlier than in healthcare to drive efficiencies in production and supply chain management. Pressure on quarterly earnings and growth are constant expectations of the market and drive business decision-making. The CISO in this type of organization must be aware of this culture while considering how to satisfy all of the different security and privacy regulations from the countries where it does business around the globe.
The international nature of the ISO 27001 framework is a great fit in this type of a situation, especially if the organization has already adopted ITIL for IT service management. Manufacturing companies are already familiar with the ISO 9000 quality standards, and ISO 27001 can be framed to the organization as quality improvement for information security. This framework is globally recognized and easily translated to other frameworks and regulatory requirements. It can provide the basis for the initial creation of organization security policies that will set the standards for the development of the security organization. It can also be used to build the basis for a GDPR program, although additional privacy requirements must be added for full GDPR compliance.
Using cybersecurity frameworks in strategic plans
Paul VanAmerongenVice president and CISO, UW Health
A cybersecurity framework can be essential in strategic planning for information security departments, according to both CISOs interviewed. "Using a cybersecurity framework makes it easier to drive the program and set the vision," VanAmerongen said. Frameworks provide a prebuilt list of security requirements for performing an initial gap assessment. Security programs can inventory their current capabilities and compare them to a framework to begin building a customized roadmap for their organization. These roadmaps are then personalized to the business model and current maturity level.
The structure included in a security framework can be used as the first step to defining the security policy framework for the organization.
There is often a difference in opinion on creating policies before the controls are put in place. Some see them as aspirational, whereas others are concerned about stating the existence of security controls that are not yet in place. However, policies can be used to help reinforce the overall security strategy and help to define short-term operational requirements. The framework can be used as the foundation of developing an information security strategy that doesn't change as much as the other things in the CISO toolkit.
Communicating with leadership
One of the biggest advantages in selecting a cybersecurity framework is that it provides a basis of communication with organizational leadership. Both CISOs interviewed agreed that the NIST Cybersecurity Framework is especially well suited for this task.
"I think the NIST Cybersecurity Framework is … good to use with board level and executives," Wilcox said. "The five sections make it easy to explain and understand. Then you can map it out technically to any other framework that drives your policies" and the appropriate investments. For example, it is easy to explain that an organization may not fully meet the NIST Cybersecurity Framework Detect requirements if it does not invest in a SIEM to aggregate monitoring data.
ISO 27001 can be a little more difficult to navigate in this regard, according to Wilcox. A CISO could get "stuck in the weeds," Wilcox said, trying to explain the numerous requirements. It can become very confusing for anyone outside of the information security team if the CISO gets into this level of detail. ISO 27001 can still be used as a platform to communicate gaps in the information security program services such as the SIEM example above. It just requires more finesse from the CISO to deliver the message in a summarized format to leadership.
Managing operational impacts of cybersecurity frameworks
The communication to the security team about how to operationalize a cybersecurity framework was an essential point made by both CISOs. It can be easy for a security team to get caught up in the detail of the requirements defined by the framework and focus on risks that the organization has already accepted unless properly framed by the CISO, according VanAmerongen. Security teams are determined to be thorough. "Everyone wants to do a good job -- but it may exceed what the organization believes" is appropriate VanAmerongen said.
CISOs can mistakenly assume that their security team understands the framework because of their technical knowledge and experience. This can leave the security team "scratching their heads" about where to focus their priorities, Wilcox said. The key is to communicate the value of the framework to the security team by aligning the requirements to business initiatives.
"Alignment to business initiatives is critical," Wilcox said. "Now you have added value to the shareholders and start to bake it into operations. You need to augment your awareness program and how it aligns to the company's values." Information security can become a competitive advantage and market differentiator when integrated into the existing product quality initiatives. The security framework is then adding value to the shareholders and becomes baked into operations. The alignment with business initiatives will also keep executive attention focused on the security program.
Paid vs. free cybersecurity frameworks
The value of a paid certification against an open-standard cybersecurity framework is dependent on the market vertical of the organization, including regulatory and contractual requirements. "The framework needs to tie back to the security program and not just be an exercise in 'check-box' security," Wilcox said. It is far more important that the security program shows continual improvement. Certification holds value for service providers that need to demonstrate a third-party review of their security program. However, both Wilcox and VanAmerongen said they believe that you don't need to spend money on a framework to improve organizational information security.
Measuring ROI of cybersecurity frameworks
It is extremely difficult to measure the return on investment on information security spending. A better measurement may be cost avoidance due to the security controls in place through the adoption of cybersecurity frameworks. It may be necessary to complement the cybersecurity framework with an enterprise risk register in order to show risks that have been prevented or show gains in productivity, according to Wilcox.
VanAmerongen explained that it is important for a CISO to utilize the roadmaps defined by gap assessments comparing the current security program against the cybersecurity framework. These roadmaps can be used in continuing conversations with management and the board about the desired level of investment in information security initiatives. The framework requirements can then be implemented at different levels, giving the organization flexibility in information security spending.
Effects on productivity
VanAmerongen said that there will always be policy alignment work to complete regardless of the framework the organization choses. It is important that a CISO validate that the current security controls are functioning in the way they were intended. The key to limiting the impact on productivity in the security organization is to utilize a governance, risk and compliance tool to provide automation and a baseline for comparison. External assessors will identify different areas for improvement in HIPAA or NIST compliance. A tool that tracks the implementation of security controls will make it more difficult for these assessors to find gaps that have not already been identified.
Wilcox is less concerned about productivity than the information security policies becoming static documents. His approach is to seek the involvement from outside of information security and include teams from across the company. He identified stakeholders from multiple areas where information security policy directly affected their operations and could affect productivity. The human resources department was a good example, as many of the employee background screening requirements were being defined in information security policies. These departments could then work with information security on defining the least impactful processes to achieve the desired security control. The side effect was that the departments now had some ownership in the policy, which helped boost overall compliance.
Potential to decrease the number of data breaches
The overall goal for any cybersecurity framework is to reduce the risk of information security incidents that result in data breaches, ransomware attacks, email fraud, data destruction and other events. Cybersecurity frameworks have been available for many years, and yet the number of data breaches reported seems to be increasing. CISOs need to make sure that there is the extra effort in building a security program beyond simply adopting a framework. "Having a framework doesn't mean that you actually have an appropriate level of maturity for all of the controls in that framework," Wilcox warned. CISOs must continually validate their security controls to verify that they are still appropriate in a rapidly changing environment.
There are no disadvantages to adopting a cybersecurity framework. However, a CISO must still be able to demonstrate measured progress against the framework requirements over time. It can be three to five years before the information security program reaches the desired maturity level. The frameworks that provide tools to help measure this progress may be more effective at reducing the current trend of large data breaches. The implementation of any cybersecurity framework is a long journey that will yield benefits for any organizations adopting them long into the future.