In my roles over the last several years I constantly have to communicate and explain what the security department does for the organization and how we deliver risk management processes and risk-based security controls to all levels of the enterprise. A key factor to gain support for the program is to explain to executives and key stakeholders why we selected and implemented security and risk management frameworks at the organization.
After the pandemic hit in 2020 the world moved into a remote work environment and executives and boards became more engaged and interested in the security posture of organizations. Thus, I had to opportunity to update our key stakeholders and used this time to also help them understand what it is that we do and why we use frameworks to guide our priorities; communicate in business terms; and manage risk for the company. Coincidentally, in January of 2020, I had completed SANS MGT512: Security Leadership Essentials for Managers online with Frank Kim as the instructor. In the class, Frank used an analogy to restaurants to illustrate how the framework alphabet relates to each other at different levels. Inspired by Frank, I came up with an analogy that would align with common language that could be understood in a P&C Insurance firm to communicate what it is that we do with our stakeholders. I explained that our industry groups cybersecurity frameworks into three buckets which you can visualize in the image below with an overarching fourth bucket that governs the Enterprise Risk Management program and that you should seek to align the security program with. Below are these buckets and while I would mention certain frameworks in this article the list is not all inclusive. The framework buckets are:
1) Security Control Frameworks
Let’s start at the bottom of the image with Security Controls Framework. Imagine you are a construction company. If you wanted to build a house, you’d start with a solid inventory of materials and tools that we need to build the structure. These materials and tools are universally known and proven and standard across the industry (wood, nails, drills, hammers, etc.). Similarly, the security controls you can implement are described in various control frameworks. There are many well-known and established framework such as the CIS 20 Security Controls developed by the Center for Internet Security (CIS) which defines the “Top 20” controls that have been shown to mitigate many of the most common and impactful security attacks. However, it is important to note that the term “Top 20 Controls” could be misleading and you need to help your stakeholders understand that these 20 controls are major categories of controls with more than 200 control sub-categories that you need to evaluate against your organization’s culture, resources and business requirements. To help with guidance and prioritization CIS groups the controls into three buckets:
Another comprehensive and adopted framework throughout the industry is NIST 800-53 by National Institute of Standards and Technology. Like with CIS, there are hundreds of controls that you need to prioritize according to your needs. NIST classifies these controls as Low-Impact; Moderate-Impact; and High-Impact to guide your selection and decision making.
2) Security Program Frameworks
Now, following our analogy, the general contractor working in the construction project must understand how to utilize all the tools and materials in the market that we described in the previous section to help guide the placement of the materials and shape of the building. A security program framework is like an architectural blueprint that the General Contractor uses to put it all together.
A popular program framework is the NIST Cybersecurity Framework (CSF). It defines five high-level functions that help communicate with stakeholders in business terms as well as prioritize and monitor your program objectives. These five functions are:
Usually, your program would be defined at the Corporate Security Policy and the framework should be mapped to the security controls framework selected by the organization. The Center for Internet Security (CIS) has published and interactive document that maps the CIS 20 to other control frameworks which you can find here.
Another popular program framework is the ISO/IEC 27001 for Information Security Management which “provides requirements for an information security management system and enables organizations to manage the security of their assets.” It is very important to understand that you can use the framework to guide your program but choose not to certify against this standard.
3) Security Risk Management Frameworks
Ok, hang in there, we are almost done. Besides selecting and implementing your security controls and governing framework for your program you should also follow risk management practices to continuously identify gaps and strengths and help you prioritize efforts and resources to mature your program.
To use the construction analogy again, a skilled general contractor is aware of the building codes, safety requirements, laws, rules and regulations that need to be met. That is what a risk framework does for you; it helps you assess and manage risk while focusing on business obligations, priorities and needs.
While there are several frameworks that define approaches to risk assessment and management from institutions like NIST and the International Organization for Standardization (ISO), you should first seek to align IT Risk Management framework with the Enterprise Risk Management (ERM) framework. From a practical point of view, you can build a program that adopts NIST or ISO frameworks or incorporate items from both frameworks to fit your needs. In any case, it is critical that you clearly communicate the chosen framework and the roles of different level of management in your plan.
4) The Fourth Element: Enterprise Risk Management (ERM) Framework
Finally, we have the Enterprise Risk Management Program. In financial services is common to start with The Three Lines Model by the Institute of Internal Auditors (formerly The Three Lines of Defense) as the governing risk model to ensure that everyone in the organization from the executive team and board, down to operational teams, are accountable for risk management functions and that risk ownership is a shared responsibility across the enterprise. Then your organization may choose to implement a framework like the Committee of Sponsoring Organizations (COSO) as the enterprise risk management framework. to guide your priorities from a management level and bring focus to prioritize your efforts.
In conclusion, you will more than likely end up with a mix of frameworks that will become your toolset and materials which should align with the overarching ERM program much like the general contractor draws tools and material to build appealing structures that are also compliant with industry codes and standards. As a security leader, you must be prepared to communicate how your security risk management program is structured; how it is maturing; how you manage operational risk; and how you prioritize efforts and resources for the organization in business and frankly, Layman’s Terms and using the right framework will assist you in that effort.
Last but not least, I would like to thank Frank Kim for not only inspiring me through his class, but also for vetting my analogy when I developed it. I also invite you to read Frank’s own article on this topic to learn more about it which you can find in his website here.