Making IT Work: episode 9
I’ve been spending a lot of time this year working with clients beginning the long process of implementing security controls in support of the NIST Cybersecurity Framework. I’ve been feeling the need to share a few lessons learned from these early stage activities, and some implications for organizations as they progress.
- Adoption starts at the top! Organizations having the best success with the framework begin by gaining buy-in and commitment from the highest levels of the organizations; Boards of Directors and senior C-level management. Fundamentally, the value proposition of using a framework like this is in facilitating business-centered conversations, about risk, risk optimization, and investment prioritization.
- Business-side stakeholders need enough awareness of the Framework to collaborate. Ultimately the purpose of any set of security practices is to enable and protect business workflows, business processes, and business information. All of these are owned by business side stakeholders; process managers, line of business managers, and customer relationship managers. These key stakeholders need to have a clear voice alongside risk and audit on how to best optimize the cost/risk/value balance and enable the organization to successfully deliver value to stakeholders. Extensive conversations between business leadership and security practitioners is absolutely essential…and these conversations must take place in business language and reflect business priorities. The NIST Framework provides the necessary language and structure to enable these conversations without devolving into technical jargon.
- An adaptive, Agile approach is necessary. Information security is necessarily always responding to new vulnerabilities, threats, risks, and issues. Security professionals benefit from adopting certain core Agile principles and practices in order to remain flexible and adaptive as the threat landscape evolves.
- The NIST Framework -really- is useful to any size organization, and adapts readily to the realities of small/medium sized businesses. Many of my customers are not huge enterprises and don’t have dozens or hundreds of personnel focused on the implementation of security practices. Many more of them, with tens or hundreds of employees, are more likely to “have a guy” who is tasked with “doing security.” Eventually one of the main benefits to using a framework like the NIST Cybersecurity Framework is to provide any-size organization with an approach to help organizations recognize that security is an organization-wide problem, that real-world constraints can and do exist, and that the most effective approach is to assess current capabilities and prioritize needs, with the goal to be establishing a functional beachhead that enables the organization to do with the most critical issues, then work using a process of continuous improvement to start iteratively chipping away at other capabilities.
As we continue to work to help organizations adopt and adapt this framework, I expect I’ll have a lot more to share. Remember, be willing to “win a little,” consolidate your gains, and do it again!
One of the resources we provide is free access to our online LinkedIn Mentoring Community, where interested professionals can ask questions, share links and information, and support one another in adoption and adaptation of the NIST CSF and various Informative References.
To gain access to the community, follow the link https://www.linkedin.com/groups/12376016/
Related posts: Agile as a Business Transformation Practice