Are you secure? Unfortunately, there is no way to prove that no one can breach your security. You can be compliant with any number of different regulations and frameworks and still be caught by some new attack or unanticipated vulnerability. That is one reason I like the Framework for Improving Critical Infrastructure Cybersecurity, released last year by the National Institute of Standards and Technology (NIST).
This security framework is different from other security regulations and frameworks because it is a process- and risk-management tool, not a static checklist or set of compliance requirements. Over the past year, we ran a pilot project with this framework in the Intel IT department to see how it works in the real world and how it compares to our existing security posture and processes. One of the most valuable lessons learned was how the framework improved visibility and facilitated discussions about risk throughout all levels of the company. Using the framework, we developed a heat map of our risk scores in several categories under the five major functions: identify, protect, detect, respond, and recover. Our CISO and the core security team established the desired target scores and their evaluation of the current scores in each area.
Then, without revealing the targets or the core team’s numbers, we asked several subject-matter experts throughout the company to score their own worksheets. Comparing these worksheets identified key issues for discussion, including a large gap between core team and SME scores, education and visibility issues, and a positive or negative gap between current and target numbers, indicating areas of under or overinvestment. Categories with a low score were expanded into subcategories (e.g. computing assets expanded to laptops, tablets, mobile, servers, storage, and network) to find the specific areas in need of improvement.
The five functions emphasized to everyone that security is more than detect and protect. Identifying data and tasks that require protection helped us highlight areas that needed further assessment. Developing the target scores supported better informed discussions on risk tolerance. The respond and recover functions underlined the need to be prepared to act quickly in the event of a breach to contain the damage and inform those affected. And the whole process enhanced our communications by harmonizing our language and terminology and helping us to recognize areas of difference and disconnect.
Our experience with this framework has been very positive, and we plan to continue to use it throughout Intel and with our suppliers and partners. I would encourage any size organization to evaluate and implement it also. When you do, we have a few suggestions to share from our initial project:
- Do it yourself. This is a process for discovery and discussion, not a checklist or assessment that can be done by a consultant.
- Start small and easy. It’s best to start with a small group that is comfortable with at least some of the language and technology, not across the whole organization.
- Customize for you. This is not a one-size-fits-all framework. Tailor the components for your business and technology environment.
- Work with decision makers. Risk management is not a static process, and it touches all levels of the organization. Engage them early and continually.
This framework began with collaboration between government, industry, and non-governmental organizations. Our best bet for better security is to continue that approach, protecting privacy and civil liberty, while promoting innovation and the use of the Internet for global economic development.