Smart Governance for Real Cyber Resilience with the NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework 2.0 helps societies and organizations managing their cyber resilience effectively and efficiently by utilizing 6 core functions:

• Govern
• Identify
• Protect
• Detect
• Respond
• Recover

The foundational Govern function gives a hint how to establish cyber resilience target state and sync that with expectations of stakeholders. That said, stakeholders can be many — regulators like the United Arab Emirates Telecommunications and Digital Government Regulation Authority or the U.S. Security and Exchange Commission, organization shareholders, board of directors, auditors, senior and middle management, its customers, and its employees too. Hence, identifying, aligning and laying out relevant target state, goals, and cyber resilience policies might not be easy and quick.

The function includes 6 categories enabling one who is striving for good cyber resilience governance:

1. Organizational Context
2. Risk Management Strategy
3. Roles, Responsibilities and Authorities
4. Policy
5. Oversight
6. Cybersecurity Supply Chain Risk Management

I. Organizational Context category boils down to the 5 essential subcategories:

• An organization has a mission that can inform cyber resilience (hence cyber resilience is an enabler for this mission).
• Internal and external stakeholders and their respective needs & requirements are identified and managed (hence strategically cyber resilience is service-oriented itself and cannot be an ultimate goal).
• Legal, regulatory, and contract obligations are understood and factored in cyber resilience planning.
• Critical objectives, capabilities, and services that external stakeholders
  depend on or expect from the organization are understood and communicated (hence are going to be delivered or properly run).
• Outcomes, capabilities, and services that the organization depends on are identified and communicated (hence are going to be delivered or properly run or even upgraded if needed).

Having said about these 5 subcategories it is much more challenging being done with them. Large, highly regulated or global organization can have dozens and sometimes hundreds of stakeholders, who can have conflicting requirements, with different expectations for delivery timeframe and standards of quality from poor to reasonable or even extreme ones. That means one would have to find a balance with definition of done there and revisit these regularly or after a compelling business event, for example:

• New privacy law got introduced
• The firm got acquired another one
• Major business process outsourcing effort has been approved

II. Risk Management Strategy category acknowledges and offers guidance how to process situations where the world is not living up to our cyber resilience program expectation by outlining 7 subcategories

• 1, 2 and 4 — Risk management objectives, risk appetite and risk tolerance statements as well as strategic direction regarding appropriate risk response options have to be established, agreed ad communicated.
• 6 — Same goes with standardized method for calculation, documenting and prioritizing risks.
• 3 — Cyber resilience has to be integrated with Enterprise Risk Management process.
• 5 — Risk communication lines have to be established across the extended organization including suppliers and other third parties.
• 7 — Strategic opportunities (e.g. positive risks) are included in cyber resilience discussions.

However, looking that sophisticated Risk Management Strategy category is a vital element of cyber resilience decision-making. Therefore its better to have risk value depicted in dollar value (even approximate one) or at least tied to business impact that is widely familiar to business managers (regulatory inquiries into an organization, law suits, customer churn, business process disruption, leak of sensitive information about executive team salaries etc).

III. Roles, Responsibilities, and Authorities category suggest how to distribute responsibilities and further move the organization towards cyber resilience course by utilizing 5 subcategories:

1. Organizational leadership knows their responsibility and helps to steer cyber resilience program and culture.
2. Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced.
3. Adequate resources are allocated to implement cyber resilience program — strategy, roles, responsibilities and policies.
4. Cybersecurity is included in human resource processes.

The category is as hard as it gets to implement, as any additional role in an organization is either empty-funded or gets under scrutiny. However, the category competes with strategy in vitality, and hence adequate time of cyber resilience lead — manager, director, Chief Risk Officer, Chief Security Officer has to be devoted to defining, advocating, approving and implementing that properly.

IV. Policy category (2 subcategories) reminds an organization to agree on a cyber resilience policy that would be in sync with Organization Context and further implement it consistently.

V. Oversight category (3 subcategories) hints at how to keep in check Risk Management Strategy practices particularly to evaluate Risk Management Strategy outcomes, scope/coverage, and performance, and adjust accordingly.

VI. Cybersecurity Supply Chain Risk Management category offers 10 subcategories on how to extend processes and controls to the supplier part of organization's operating model, and there are a few selected ones:

• Suppliers have to be identified and prioritized by criticality.
• Planning and due diligence are performed before entering in supplier or other third-party relationship.
• Cyber resilience requirement are understood and communicated, integrated into relevant contracts, and managed throughout the relationship.
• Exit strategy after relationship concluding has to be in place and integrated in relevant legal agreement.

However one has to remember that adding a new requirement draws down the pool of suppliers, hence at the end of the day competition is less, and buyer power is coming down too.

These 45 practices only for Govern function are witnesses that cyber resilience job is not going to be easy or quick, but also help to navigate even the biggest ships out there with thousands, dozens, and hundreds of thousands of employees that need cyber resilience counseling and depend on sustainable firm operations to make for the living of their families.

Related articles are:

Deliver Cyber Resilience Right With Roles & Responsibilities function of NIST Cybersecurity…