The patient sat in silence, staring at the report. The prognosis was certainly grave. How could this be? There had never been any problems before. And now, to hear that it’s only a matter of time. Of course, the three specialists sitting across the table had not been that blunt. No, they all had a great bedside manner. Very professional, speaking in calming tones and emphasizing the positive. We can turn this around they said. We can build up your resistance.
The patient looked again at the report. Graphs with way too much red lit up its pages like a Christmas tree with only the red lights burning. One could get a second opinion, but reality was starting to sink in. The report told the truth.
The CEO, now looking a bit pale, carefully laid the report on the table as if it were a termination notice. So, the organization was wide open to attack and ignoring this as the organization grew had only compounded the problem.
The truth of the matter is, this story actually has a happy ending. But let’s first talk about how we got to this point. A few months earlier, the senior management team had reluctantly made the decision to bring in an outside firm to perform a cyber risk assessment. There was fear in the c-suite, a fear of problems that might be found. But there was a greater fear of doing nothing. This greater fear conjured up visions of massive system outages, regulators sending in teams of examiners, and a reputation in shambles.
On an appointed day, after proposals were reviewed, and a contract for a Cyber Risk Assessment was signed, a team of three cyber risk specialists arrived. They explained that a Cyber Risk Assessment is a comprehensive evaluation of an organization’s cybersecurity program and overall security posture. It identifies key risks that can impact the availability, integrity, and confidentiality of its information assets. It determines where the strengths are, and zeroes in on weaknesses that present the greatest threats to the organization. Its purpose is to provide the necessary information to close gaps in organizational defenses and provide the needed detail on how to do so in a cost-effective manner.
They contrasted the Cyber Risk Assessment with an IT Risk Assessment. They described the IT Risk Assessment as a broad review of all aspects of the IT organization. Like an x-ray, it is a prudent first step in identifying where problems may exist. They then made the point that a Cyber Risk Assessment is more like an MRI. It is a deep dive into the layers of protection that separate sensitive and critical data from sophisticated attackers. Peeling back these layers to reveal potential weaknesses, a Cyber Risk Assessment provides greater clarity and insight into an organization’s cybersecurity program, ensuring that expenditures to close the gaps are cost-effective and risk-appropriate to meet both current and future needs.
As the assessment began, a series of walkthrough meetings were held with key process owners within the organization. As they entered the conference room, immediately apparent was the large spreadsheet projected on one wall. The specialists explained that they were using something called the NIST Cybersecurity Framework, and would be walking the process owners through a series of questions designed to evaluate key cyber controls making up the framework. NIST is short for National Institute of Standards and Technology and is a research and standards-setting arm of the US Department of Commerce. Several years ago, in response to increasingly destructive cyber-attacks, NIST came up with this detailed framework for evaluating the sufficiency of cyber controls within an organization.
The NIST framework is divided into five major functional areas (Identify, Protect, Detect, Respond, and Recover). These five functions are divided into the 23 categories shown below, and those are further subdivided into over 100 control areas, referred to as subcategories. Depending on the process owners present, anywhere from one to three categories could be evaluated over the course of a half-day session.
The process owners had reluctantly entered the room expecting to be grilled, but the grilling never came. Instead, the specialists just asked about each subcategory, looking for input on what was in place and how it worked. Essentially the specialists were seeking to understand how each area functioned, what was documented and where, what was formalized, and what was ad-hoc. From this discussion, an implementation tier (Partial, Risk-Informed, Repeatable, or Adaptive) was assigned to categorize the level of cyber controls rigor and sophistication. For each subcategory, there was a discussion about risk, the likelihood of a problem occurring, and the potential magnitude of the problem.
Then the specialists asked a very interesting question. How could each particular subcategory be optimized to reduce the risk and raise it to a higher implementation tier, what new processes would be required, and what would that target state look like?
Slowly the spreadsheet began to be populated with data. As estimates were entered, cells would turn yellow or red in color. But this was mostly in the current state columns. In the target or future state column, the colors were generally yellow or green.
Of course, there were many more columns than these that had to be considered. There were columns cross-referencing to the organization’s audit universe, and to other governance frameworks such as COBIT 5. There were columns to describe the mechanisms that would need to be in place for the target state, estimates on how long it would take to reach the desired target state, and the level of effort required to get there.
Eventually, after much effort, the spreadsheet was completed. The level of detail was daunting, but it was the level of detail needed to get the organization from their current state to the desired future target state. Of course, the c-suite did not want to get bogged down in the details. They were more interested in the two radar graphs that summarized the results. Like cardinal points on a compass, 23 data points adorned each circle, one for each NIST category. Weeks of effort, all distilled down to just two small circles. But to the c-suite, it was a picture of hope, of a bullseye target transforming into a blue shield of controls covering all of the red high-level risks and a majority of the moderate risks.
At the beginning of this article, it was mentioned that this story has a happy ending. So, aren’t happy endings just something we read about in fairy tales? No, this story actually happened. The radar diagrams shown here are screenshots of the actual diagrams from a real organization. As a result of the Cyber Risk Assessment, corrective actions were identified and then triaged according to their priority and the level of effort required to close gaps in the organization’s cyber defenses. These changes required a lot of work, but slowly the red and yellow areas were covered as the blue field of controls expanded to cover an increasingly larger area.
The key to this happy ending was making the decision to perform a Cyber Risk Assessment. This allowed the organization to determine exactly what needed to be corrected, and take the necessary steps to do so. The organization now has a clear understanding of their cyber risks and has processes in place to keep that risk at an acceptable level. And that is truly a happy ending!