Corporate and government leaders have been putting an increasing focus on the risks to our critical infrastructure by cyber-attacks. Industrial controls, once thought to be immune to these internet borne threats, are now clearly in the cross-hairs of new types of malware.
Responding to this growing risk, in 2013 the White House issued an executive order for a cybersecurity framework (CSF) to be created by the National Institute of Standards and Technology (NIST), providing guidance to organizations with critical infrastructure to help them manage cybersecurity risk. On February 12th 2014, Version 1.0 of the NIST Framework was released following months of drafting and comment involving both the public and private sector. IBM was a significant contributor to this effort.
The NIST CSF framework provides guidelines, but it is not prescriptive. It does not tell you how to make the organization’s controls secure. To do that, an organization needs to translate the guidelines into an actionable security program.
Four tips to a 5-star security program
Here are four points to consider:
- Establish your business objectives and set priorities for securing your critical infrastructure. Consider your business objectives and your level of risk tolerance based on the unique needs of your organization. Step inside the shoes of a cyber-attacker and take a look at your company’s information and business critical systems from their point of view, asking how an attacker could do the most damage.
- Assess your current readiness for a sophisticated attack. The threat model is evolving and your organization must ensure that it has the resources and tools necessary to identify and stop an attack, determine what was compromised, and begin the remediation process. Leverage the NIST framework to ensure that you are taking a holistic view in assessing your capabilities.
- Develop a proactive security plan to protect your organization that aligns to your business objectives. Identify how you can collect and leverage security intelligence to enhance your readiness and responsiveness. Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway.
- Make sure your security program has clearly defined ownership and leadership assigned across critical business areas. Rapid response is critical when an incident occurs and having in place an effective governance structure with well-defined communication processes will help to minimize the potential damage.
Taking this journey is more effective if you have a knowledgeable guide.
To use an analogy: the NIST CSF is like a cookbook that provides the recipe, the ingredients and general instructions on how to assemble the ingredients, but it takes the talents of a chef to interpret the recipe, adjust the proportions and spices, and turn it into an excellent meal.
We are here to help you leverage the Cybersecurity Framework (CSF) to baseline your current security program, identify gaps, prioritize security investments, and develop an actionable roadmap to improve your security maturity.
I hope these tips will help you create a “5 Star” security operation based on the NIST CSF. Are there any other tips I missed? Let me know in the comments below.
Global Strategist & Offering Manager, IBM Security Services
Pierre Gourdon is a Global Strategist & Offering Manager for IBM Security Services with responsibility for managing a global portfolio of security consul...