Operationalizing Cybersecurity

Posted on by Tom Conkle

Operationalizing, or implementing, cybersecurity is an ongoing effort that continually evolves and grows.  Just like organizations can’t achieve safety; they cannot achieve cybersecurity.  Therefore, having a well-defined organizational cybersecurity strategy is essential in keeping organizational security goals in mind. Board members are becoming increasingly aware of the requirements to implement cybersecurity strategies and the perils faced by those organizations that continue to leave cybersecurity as an information technology (IT) problem. These motivations are assisting board members in being more active in defining the organization cybersecurity strategy. Therefore, board members are becoming increasingly aware of the importance in implementing a cybersecurity strategy.

Defining a cybersecurity strategy
An organizational cybersecurity strategy is the organization’s plan for mitigating security risks to an acceptable level. Understanding the business purpose and mission goals of the organization is the first step in defining a cybersecurity strategy.  Board members, and business leaders, within the organization define their expectations for the services within the business by establishing operating targets and budgets.  If aligned correctly, this information provides insight into critical business functions within the organization and can assist in identifying the criticality of the resources supporting those functions.  For example, if an organization declares it is releasing a new product this quarter and all focus is being placed on completing the project, the resources supporting the new product development becomes critical.  There are many frameworks available, such as ISCAC’s COBIT 5[1], that assist organizations in defining and establishing business priorities for the organization.

Translating a cybersecurity strategy into a risk management plan
Once an organization understand their business objectives and align resources to those objectives, the organization can develop a security risk management plan.  Security risks are not simply a count of the number of vulnerabilities detected by a vulnerability scanner.  Security risks are areas within the organization that could be damaging to business operations if the threat acts..  There are many risk assessment processes available to assist organizations in defining cybersecurity risks for their organization. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)[2] and FAIR[3] are quantitative risk assessment processes that enable organizations to identify and quantify the risk to their business.  NIST 800-30, Guide for Conducting Risk Assessments[4], helps organization understand how likely a security risk is to occur and the impact or harm it will have on the organization if it does occur.  Organizations can leverage any of these processes, or a combination of each, to define security risk thresholds and expectations of the organizations business operations.  These security thresholds and expectations become the guidance required to define a risk management plan.  Organizations can use the risk management plan to create a security risk register for their organization.

A security risk register is an artifact that aligns the key threats to the business operations of the organization (e.g. natural disaster, accidental insider, malicious external parties, etc.) with weaknesses within the organization that the threats could exploit to harm the organization.  While an exhaustive risk register may have hundreds of line items for different ways threats could impact business operations, most organizations can summarize the threats and weaknesses within their organization to identify twenty to thirty key risk areas.  This enables organization to focus on implementing cybersecurity objectives in areas where key security risks can be mitigated. The risk register can be sorted by the risk quantified using the risk assessment methodology selected by the organization.

Operationalizing cybersecurity strategies
The NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF)[5] defines the core activities and outcomes of a cybersecurity program. The CSF Core establishes five function: Identify, Protect, Detect, Respond, and Recover.  Organizations can use these functions to establish security capabilities required to manage cybersecurity to an acceptable risk level as defined in the risk management plan.

Cybersecurity strategies are implemented using people, process, and technology.  While technology provides a critical component within a cybersecurity program, it can’t be the only element.  Similarly, cybersecurity policies are only effective if they are followed.  Security policies that address all security risks within the organization are not effective if staff are not trained and reminded regularly of policies and their expectations in achieving the requirements defined within the policies. Organizations can implement a holistic cybersecurity strategy by using the CSF to define organizational cybersecurity expectations which mitigate security risks below risk thresholds established in the risk management plan as defined in the risk register.  The CSF refers to this plan as a Target State Profile.  An effective target state profile is one which identifies the types of security policy required within the organization and defines organizational practices required to implement the security policies.

Implementing a cybersecurity strategy is an ongoing activity, but not impossible.  Organizations must continually evaluate the ever-changing threat landscape and business objectives.  A good cybersecurity strategy is one that is in alignment with organizational business goals and mission objectives.  The business goals and mission objectives establish the foundation for establishing a risk management plan that defines the acceptable security risk levels within the organization.  Once the security risks within the organization are defined in a risk register, organization can determine the appropriate level of security required to operate within that risk level.

[3] FAIR, FAIR Institute, http://www.fairinstitute.org/

[4] Guide for Conducting Risk Assessments, National Institute of Standards and Technology (NIST) SP 800-30, September 2012, http://dx.doi.org/10.6028/NIST.SP.800-30r1

[5] NIST Framework for Improving Cybersecurity, NIST, February 2013, https://www.nist.gov/document-3766

Tom Conkle

Cybersecurity Engineer, Optic Cyber Solutions

Security Strategy & Architecture

security operations

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community