Business leaders must move to a deeper understanding of regulation and compliance requirements for their industry. These frequently complicated and confusing laws are too often viewed only through the negative lens of the avoidance of punishment. But there's real value to be found in these rules as they can facilitate the creation of a new "prescriptive framework" that helps a company more clearly understand where it sits in terms of risk — and the protection of its data and brand reputation.
The Importance of a Prescriptive Framework for Cybersecurity
Executives, and even board members, have a responsibility to demand and contribute to the creation of the right prescriptive framework in collaboration with the chief information security officer (CISO). This framework needs to provide transparency, identify security gaps, and use company-appropriate metrics. And the data in that framework must be easily digestible and acted upon by non-security experts in the evaluation and approval of proposals around cybersecurity.
PCI DSS (Payment Card Industry Data Security Standard) for retail companies and FFIEC CAT (Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool) in the financial services space are well-known cybersecurity frameworks that can serve as the basis of developing one at your company. Both measure a large set of security controls (authentication, data security, and vulnerability prioritization) that help to lower organizational risk posture and give companies an understanding of how solid their security policy really is.
A CISO can benefit by using these kinds of industry standards and tools to create a framework that is thorough and can be understood by executives who are non-security experts. This way, it can "prescriptively" guide the way that security gaps and vulnerabilities are not only identified but addressed within an appropriate business context.
Factors in Selecting the Right Cybersecurity Risk Framework
The big question for a company is: How do we select and use the right existing cybersecurity framework to inform the creation of our own guidelines? Three main variables guide this choice: the size and maturity of the organization, issues of relevance to the industry, and an understanding of the company's internal business processes.
1. Company Size
Larger companies will often already have well-articulated requirements for mandatory adherence to several types of regulatory controls. And public companies must file reports to comply with financial regulations, such as those required by the Securities and Exchange Commission for public mergers and acquisitions or private equity acquisitions. Both of these sources will contain a certain amount of cybersecurity intelligence for audits that are valuable input sources for your framework.
For smaller companies, IT and security teams are lean and processes are more limited simply because of the maturity and resources of the organization. This often results in overlapping regulatory responsibilities — for example, a CISO with responsibility for both security and compliance policy. Overlaps can be advantageous in mapping out organizational processes — since there are fewer stakeholders from which to collect the policy information and a less bureaucratic and onerous approval process.
2. Industry Relevance
Security control issues have different weights of importance depending on what's critical in the specific industry. In retail, a cybersecurity framework such as the PCI DSS does an excellent job articulating the issues with many common security controls that are needed to protect valuable customer data. However, PCI DSS may not work well in an industry like manufacturing,where the enterprise may reside entirely on-premises with little to no access to an external network. In this case, security issues revolve around protecting critical internal IP, and a more vertical agnostic guideline such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CFS) may be a better place to start.
3. Business Processes
Too often, companies think about cybersecurity only from the perspective of outside forces. They forget to think about the vulnerabilities that can be caused by their own everyday internal processes. An understanding of how data is stored, processed, or transmitted inside the business provides greater clarity about which security controls and measurements are needed at different stages of the data life cycle.
Large organizations will have well-codified internal processes. Smaller companies may have never articulated their business processes, which may have grown organically (and unattended) over time. If cybersecurity is an issue (and it is), then it's time to go to your IT lead or CISO to create an initial mapping of your processes.
Cybersecurity and the True Fiduciary
At first glance, some executives might think that asking for a usable cybersecurity compliance framework is pushing cybersecurity concerns too far. But how is this different from expecting a chief financial officer to provide a balance sheet, profit and loss statement, and robust analyses of potential acquisitions? It's not. Both security frameworks and financial analysis should be based on industry-recognized and accepted models for data that are useful and actionable by non-expert fiduciaries and management. Today, both security and financial information should be considered of equal value and importance in executive and board decisions.
For CISOs, executives, and board members alike, it's time to look at regulations as friends, not foes, in the evolution of cybersecurity preparedness.