How banks can climb to the top of NIST’s cybersecurity maturity tiers
MANY government and non-government bodies across the world are working on creating structured routes to help organizations better secure their data and networks.
Among those, the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce, is one that is delighting security professionals across the world.
The agency recently published a Framework for Improving Critical Infrastructure Cybersecurity which outlines four tiers of cybersecurity to help businesses understand where they stand and what the steps they need to take to secure their infrastructure.
According to the document, the four tiers (partial, informed, repetitive, and adaptive) describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.
The framework is designed to help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.
The initial tier selection process involves evaluating current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, supply chain cybersecurity requirements, and organizational constraints to peg their existing risks.
Organizations are advised to determine the desired tier, ensuring that the selected level meets the organization’s goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization.
While NIST advocates that organizations try to gradually move from one tier to the next, the agency points out that tiers are meant to support organizational decision making about how to manage cybersecurity risk, as well as which dimensions of the organization are a higher priority and could receive additional resources.
Hence, the framework emphasizes that progression to higher tiers is encouraged only when a cost-benefit analysis indicates a feasible and cost-effective reduction of cybersecurity risk.
Deloitte, in a recent report Pursuing Cybersecurity Maturity in Financial Institutions outlines, from observation and evaluation, the characteristics of adaptive companies per the NIST’s framework:
# 1 | Secure leadership and board involvement
Deloitte’s team believes that adaptive companies, as defined by NIST, call for senior executives to monitor cybersecurity risk in the same context as financial risk and other organizational risks.
The reality is that when board members and senior leaders of the organization are educated about cybersecurity, they’re better prepared to make budgetary and operational decisions to help manage risks and secure the organization.
According to a recent survey conducted by the think tank, five out of 14 adaptive (tier 4) companies compared to only one in 12 informed ones (tier 2) assigned a high priority to investing in organization-wide awareness and training, something that requires resources and support from multiple functions.
# 2 | Raise cybersecurity’s profile within the organization beyond IT
While cybersecurity often starts of as a function of IT, it can seldom be supported by IT staff as part of their regular mandate.
Deloitte’s survey found that one-half of all respondents — including those from adaptive companies — reported that the security team was part of the IT function at their organization.
The think tank’s leading consultants as well as security professionals, however, advise that since cybersecurity is such a key concern for most businesses, it must be seen as an independent function.
More mature companies recognize the need to raise the profile of the security function, enabling decisions that are above and independent of other IT considerations or constraints, said the report.
# 3 | Align more closely with business strategy
As companies grow by adding new platforms, products, geographic regions, apps, and web capabilities, cybersecurity considerations can multiply along with the introduction of each new element.
Deloitte believes that adaptive respondents recognize that cybersecurity needs to be more closely tied to the overall strategy.
This characteristic seems to be more true for banks and financial services institutions than anyone else given the legacy systems they consistently battle every day and the number of silos that exist in traditional organizations.
According to the think tank, embedding cyber professionals into strategic initiatives and transformational projects right from the onset will likely help the security function better manage cyber risk across the enterprise and foster greater collaboration and innovation