Deliver Cyber Resilience Right With Roles & Responsibilities category of NIST Cybersecurity Framework 2.0

As cyber resilience is organization-wise effort an appropriate and comprehensive framework for roles & responsibilities is required.

This is not only because of suggestions sourced from global standards like the function Govern of NIST Cybersecurity Framework 2.0, but also because the lack of these makes it impossible to deliver and run the right capabilities close to the right timeline, budget and quality targets.

Particularly, a governance system should be established, encompassing 3 key pillars:

• An executive is tasked with sponsoring and coordinating cyber resilience within an organization, either taking decisions on its own or utilizing a consensus-based decision-making process.
• All executives and business unit heads are incentivized to demonstrate and lead by example about responsible and resilient practices in acquiring, developing, upgrading, running, disposing or divesting cyber capabilities, systems, assets and services.
• An adequate governance framework is in place keeping communication channels open on a specific cadence or notable event-driven basis.

As a next step a cyber resilience roles & responsibilities framework gets designed and aligned with relevant stakeholders, taking into account the approximate risk profile of the operating environment, organization of its own, its operating and delivery model, government and/or key client requirements and phase in an organization lifecycle. Key decisions there are as follows:

• Function split (operating model) between centralized cyber resilience organization, its governing body, other divisions as well as level of independence of foreign assets or specialized subsidiaries (insurance, payments or asset management companies for FSI, upstream assets for oil & gas etc.)
• Enforcement mechanism to ensure operating model is implemented and kept maintained, e.g. if Global Security Operations Center or Technology Risk Audit Team are established — assets are now allowed to build the same homegrown.
• Cyber resilience is integrated with relevant process areas. For example human resources, enterprise risk management, business planning, technology planning, disaster recovery, business continuity planning and management, internal control, physical security, operations, fraud management and investigations.
• Adequate resources are allocated to implement cyber resilience program — strategy, roles, responsibilities and policies or resource gap is acknowledged and leads to redesign of operations, technology, marketing and legal strategies and corresponding risk acceptance/avoidance.

Cyber resilience operating model

While multiple (and almost all possible technical ones) roles are covered by NICE framework below, it is an example of 5 other cyber resilience governance-focused that can make a difference for an organization’s setup.

Group Chief Information Security Officers are instrumental for orchestrating coherent cyber resilient governance & enterprise across a group with revenue-generating subsidiaries that possess their very own Chief Information Security Officers.

Regional/Country Information Security Officers are essential for geographically dispersed organizations with overseas revenue streams and overseas stakeholders, including local government bodies.

Business Information Security Officers can be of use where a lot of division-specific application development takes place and corporate cyber resilience requirements can not be implemented straight and at once.

Technology Risk professionals are required to enable the sustainable provision of complex end-to-end (E2E) user journeys in industries like FSI (digital banking, asset management, trading/market making, insurance), telecom (mobile, fixed, MVNO) or digital government services.

Account Security Officers are needed when a B2B enterprise is running sensitive or critical workloads for a major client, providing assurances that security / cyber resilience standards on an enterprise and respective client are being implemented as well as that the HQ and client point of view on the matter is being projected into account reality consistently.

Integration of cyber resilience with corporate processes

The integration takes many forms catering to the culture and setup of an organization, though a few examples can be given below.

Internal control & enterprise risk management

As a long-time board room issue internal control & enterprise risk management have already developed solid communication channels covering business and regional unit heads, global management and board of directors. Integration of cyber resilience risks into their reporting and management system helps IC & ERM to cover critical for an organization's cyber area and get more executive attention for cyber resilience function in return.

Technology planning & disaster recovery

Technology planning & disaster recovery management functions can help to roll out cyber resilience controls across the entire enterprise estate by including budgeting guidelines and list of KPIs tracked. In turn cyber resilience can sometimes be a more effective and loud voice for them as it often gets more attention from management and enterprise staff on a day-to-day basis.

Human resources

An employee work contract is a relationship framework between an employee and an organization that helps to outline or refer to operational cyber resilience duties, actions to refrain from and possible consequences of unwise/non-mature actions of an employee.

Employee on/off boarding is a touchpoint where expectations towards employees can be reaffirmed and relevant requirements communicated and acknowledged. The same can happen if an employee gets promoted or transferred to another division/country with a different cyber resilience environment or expectations.

Some cultures also have country-specific HR processes like employee violations or penalty management. In this case, a specific criterion for raising a violation in cyber resilience would be beneficial and would help to manage the expectations of employees and HR staff.

Solving cyber resilience roles & responsibilities is no easy task but an essential one. Also, this is a real cyber resilience program success probability multiplier for an organization that does rely on the cyber domain to survive, expand, report to stakeholders and run operations.