A Universal Model for Assessing Cyber Risk Part 4: Toward a Universal Cybergovernance Model
Part 1 examined how the increasing incidence of cyber breaches is bringing significant pressure on corporate directors to assume more oversight of cyber risk In Part 2 we contrasted the rise of cybergovernance (cybersecurity governance) with the history of financial governance following the passage of the Sarbanes-Oxley Act. In Part 3 we explained how technology alone is inadequate to address the cybersecurity challenges we face.
A foundational model is needed upon which industry-specific requirements can be layered. Two existing standards offer complementary capabilities required for establishing a robust foundational model: NIST and C2M2.
NIST’s Contributions to Cybergovernance
NIST defined the need for a common cybergovernance methodology in the introduction to their seminal paper describing the NIST framework: “Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk.” The NIST Framework establishes the basic context for directors and management to achieve a shared understanding of the maturity of the organization’s cybersecurity maturity. A strong cybergovernance model emerges from this understanding when managers develop goals, standards, and measurements for desired outcomes.
The lower three-fourths of the diagram from the NIST Framework depicts the organizational process that the NIST standard outlines, showing the roles and contributions of executive level staff, business process level staff, and implementation/operational level staff in managing cybersecurity readiness. The upper portion of the diagram illustrates the function that cybergovernance plays. Directors do not participate directly in execution of the NIST processes, but in order to execute their fiduciary duty – overseeing measures that will reduce risk to the company’s valuation – they need consistent visibility and oversight of cybersecurity execution.
The NIST model makes a number of key contributions, one of which is its definition of three fundamental dimensions of cybergovernance:
- Risk Management – Specific technological and process measures taken to mitigate cybersecurity risk by recognizing it and rating it against some common threshold comprise risk management. Many people to mistakenly view risk management as the entirety of cybergovernance.
- Risk Culture (organizational Integration) – Principles and practices established to manage risk should be communicated widely throughout an organization, particularly in the case of cyber risk where attacks often target the uninformed. This dimension of cybergovernance asks how deeply risk management practices and processes have been integrated within the organization at large: have we created a culture of increased awareness about risk management?
- Risk Influence (external participation) – Significant advantages accrue from safely sharing cybersecurity information across multiple organizations, especially partners and vendors that can introduce substantial risk. An effective organization “manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.”
The NIST Framework contributed another significant concept: Framework Implementation Tiers, including “Partial”, “Risk Informed”, “Repeatable”, and “Adaptive”. These tiers aid in evaluating the effectiveness of an organization’s efforts to improve its cybersecurity protection across the three dimensions. The diagram below illustrates how the NIST tiers can be used to assess and monitor an organization’s progress toward cybergovernance maturity across the three dimensions.
C2M2’s Contributions to Cybergovernance
In early 2014, the U.S. Department of Energy introduced its Cybersecurity Capability Maturity Model (C2M2), declaring that a maturity model “provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods and set goals and priorities for improvement.” C2M2 is a cybergovernance maturity model that identifies ten cybersecurity domains and enumerates a comprehensive list of general controls to monitor within each domain. It encourages “establishing a cybersecurity risk management strategy that aligns with the enterprise risk management strategy. Cybersecurity risk is an important component of the overall business risk environment.”
We spoke recently with Dr. Erfan Ibrahim, Center Director for Cyber-Physical Systems Security and Resilience at the National Renewable Energy Lab (NREL). “Cybersecurity has multiple dimensions because different threat types can combine to take many forms. Hackers variously exploit people, business process, and technology related vulnerabilities to compromise businesses and steal their valuable data,” he said “To make sense of such a complex set of variables requires a methodical approach. Organizations must identify vulnerabilities, develop a consistent set of security requirements to mitigate them, and then create an organizational process to initiate the phased projects required to implement the cybersecurity controls and continuously gauge the process towards full implementation.”
The specific domain controls of C2M2 and the intuitive presentation of NIST’s three dimensions and maturity tiers combine to create a workable standard. Consulting organizations and regulators evaluating the maturity of an organization’s cybergovernance efforts would benefit from a cybergovernance standard built by combining these two leading frameworks. Merging the NIST framework and C2M2 model is a foundational step toward creating a uniform standard of cybergovernance maturity.