culture

now browsing by tag

 
 

#cybersecurity | #hackerspace | How to Use NIST’s Cybersecurity Framework to Foster a Culture of Cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

Faced with increasing volume and sophistication of cyber threats, CISOs and security teams need to find ways to garner greater executive support and meaningful budgets to keep their organizations safe. However, recent research reveals that many CISOs aren’t getting the support that they need, and it’s one of the top reasons why they switch jobs more often than any other role in the C-suite. 

According to research conducted by Korn Ferry (via The Wall Street Journal) on the length of tenure of the top 1,000 U.S. companies’ C-suites, average tenure across the entire C-suite was 5.3 years. However, the average tenure of a CIO is lower, at 4.3 years. A survey conducted by Nominet Cyber Security shows that a CISO’s average tenure is about half of that of a CIO. 

While it’s easy to assume that CISOS have shorter tenures because they’re taking a hit as the bearer of bad news (e.g., fired after a data breach), research shows this isn’t the only reason. A research report conducted by the Enterprise Strategy Group (ESG) and ISSA in April 2019 found that the most common reasons that security officers quit include the following: 

  1. No corporate culture: 36% of the security executives ESG-ISSA surveyed stated that as CISOs, they would change jobs when they felt their employer didn’t have a culture that emphasizes cybersecurity.
  2. No visibility: Nearly one-third of the security executives surveyed stated they would change jobs if they felt they were not being taken seriously and were not actively engaged with the executive leadership team.
  3. No resources: 27% of the security executives surveyed stated they would change jobs if they felt the budgets were not realistic to the risk associated with the company’s size or industry.

In 2020, it is not unusual for an organization to have a disconnect between the C-suite and the technical implementation staff concerning risk tolerance. And to make things worse, the organization is often unaware it has this problem. 

Unless the entire organization is aligned concerning its risk tolerance level, it’s difficult for security executives to secure budgets that are realistic to the risk associated with the company’s size, industry or business model. 

However, with a definitive, universal understanding of what an organization’s governance considers an acceptable level of risk in place, it becomes simple for security leaders to acquire the resources needed to improve cyber resilience.  

What could security professionals do to transform a discussion about risks and risk tolerance objectives from implicit to explicit? 

In this article, we’ll discuss the NIST cybersecurity Framework — a tool security leaders can use to foster a definitive, organization-wide understanding about what an organization’s governance considers an acceptable level or risk. 

Whether you work for a three-year-old company or a hundred-year-old company, the NIST cybersecurity framework is a tool you can lever to assess enterprise-wide risks and foster  internal dialogues to align your whole organization on its risk tolerance objectives. This in turn will help your team set better security priorities and secure the budget needed to adequately mitigate IT risks. 

Overview of NIST Cybersecurity Framework 

The Framework provides a common language and methodology for managing cybersecurity risk and helps guide key decisions about risk management activities through the various levels of an organization from senior executives, to business and process level, and implementation as well. NIST standards are based on best practices from several security documents, organizations, and publications (e.g. ISO 27001, COBIT 5, etc.). 

Because the framework is designed to be outcome driven (as opposed to prescriptive), it works for organizations of all sizes, industries, and maturities. Thus, whether you’re just getting started in establishing a cybersecurity program or you’re already running a fairly mature program, the framework can provide value — by acting as a top level security management tool that helps  assess cybersecurity risk across the organization.  

Key Terminology of the Framework 

The Cybersecurity Framework is made of three major components: 

  • Implementation Tiers
  • Framework Core 
  • Profiles 

Implementation Tiers: The Framework also consists of 4 implementation tiers that describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The tiers range from Partial (Tier 1) to Adaptative (4) and describe an increasing degree of rigor and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.   

NIST_tiers

Framework Core. A set of cybersecurity activities and references that is common across critical infrastructure sectors and organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.

Functions. One of the main components of the Framework, Functions provide the highest level of structure for organizing basic cybersecurity activities into Categories and Subcategories. The five Functions are Identify, Protect, Detect, Respond, and Recover.

Categories  The subdivisions of a Function into general groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Categories include Asset Management, Access Control, and Detection Processes.

NIST_Categories

Subcategories. The subdivision of a Category into specific outcomes of technical and management activities. Think of sub-categories as outcome-driven statements that provide considerations for creating or improving a cybersecurity program. 

Examples of Subcategories include: 1) External information systems are cataloged, 2) Data-at-rest is protected, 3) and Notifications from detection systems are investigated.

Framework Profiles. Profiles are an organization’s unique alignment of their firm’s requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a current profile (the “as is” state) with a target profile (the “to be” state).

There isn’t a right or wrong way to approach the profiles. But one way to approach it is to map your organization’s cybersecurity requirements, mission objectives, operating methodologies, and current practices against the subcategories of the Framework Core to create a Current-State Profile. 

NIST_cybersecurity_profiles

In addition to these components, NIST has also provided a framework for clarifying the communication roles for each level within an organization. 

NIST_communication

Source: NIST.gov

Executive level responsibilities: This level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. 

The business/process level responsibilities: This level uses the information as inputs into the risk management process and then formulates a profile to coordinate implementation/operation activities. 

The implementation/operations level responsibilities: This level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.”

How the NIST Cybersecurity Framework Can Be Applied  

Several organizations have leveraged the Framework to create a risk heat map for their critical business functions, and through the process drove organization-wide alignment on risk tolerance and prioritization. Below is the story of how Intel has utilized the Framework to achieve meaningful outcomes.  

Intel Case study 

Intel used the framework to create a risk heat map that can be used to set risk tolerance baselines, identify areas that need more detailed or technical assessments, identify areas of underinvestment and overinvestment, and assist in risk prioritization. 

Intel divided their computer infrastructure into five critical business functions and piloted the Framework to perform an initial high level risk assessment for one business function. They conducted the project in four phases: 

  1. Set target scores: A core group of security SMEs set target scores, validated Categories, developed Subcategories, and performed an initial risk assessment and scoring. This phase helped the team validate that their approach could be a meaningful tool for prioritization and risk tolerance decisions. 
  2. Assess current status: Separate from the core group, several individual security SMEs conducted an independent risk assessment based on the framework. They individually scored the Categories and noted specific Subcategories where opportunities to improve existed. 
  3. Analyze results: They used the heat map format to examine areas of concern at the Subcategory level to further identify specific areas for improvement
  4. Communicate results. They reviewed their findings and recommendations with Intel’s CISO and staff. This process fostered a dialogue and helped the broader team agree on risk tolerance and prioritization.  
Intel_NIST

This process brought the organization several benefits. One of the most valuable was the internal dialogues it helped foster — risk conversations became grounded in a shared understanding of the threats, vulnerabilities, and impacts the organization faces, and the organization gained improved visibility into their strengths and opportunities to improve. All of this helps the organization set better security priorities, and better deploy budgets and security solutions. And best of all, all of these results were achieved with a cost of under 175 FTE (full-time-employee) hours. 

Parting Thoughts

If you’re interested in improving how your organization identifies, detects, responds to, and recovers from cyber risk, the NIST Cybersecurity Framework is a solid tool to incorporate into your risk management practices. To maximize the benefits to your organization, you’ll need to tailor the framework to meet your specific business processes and priorities, start where you’re comfortable, and commit to iterations with decision-makers throughout the process.

Lastly, it’s worth remembering that cyber risk management is not an end result, but an ongoing process of iteration and dialogue about risk.

The post How to Use NIST’s Cybersecurity Framework to Foster a Culture of Cybersecurity appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/nist-cybersecurity-framework/

Source link

The post #cybersecurity | #hackerspace |<p> How to Use NIST’s Cybersecurity Framework to Foster a Culture of Cybersecurity <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Six Signs You have a Great Cybersecurity Culture

Source: National Cyber Security – Produced By Gregory Evans What is security culture? There’s lots of talk about how important security culture is to a security program, but security culture is a nebulous concept to attempt to define — and harder still to measure. It’s also, apparently, difficult to achieve: a survey from the IT […] View full post on AmIHackerProof.com

Popular #culture #key to giving #cyber security much-needed #boost

The cyber security industry should turn to popular culture to raise awareness of the cyber threat to businesses and consumers and attract new blood to the field, says McMafia author

The cyber security industry is failing to communicate the scale and nature of the threat and is severely under-resourced in skills, according to UK journalist and author Misha Glenny.

“The Spooks BBC television series resulted in a phenomenal increase in applications to work for UK intelligence services, and the same should be done for the cyber security profession,” he said.

Glenny, author of McMafia, who has studied the patterns of “cyber malfeasance” including cyber crime for the past 12 years, believes one of the key failings of the cyber security industry is around communication.

“The generally high levels of misunderstanding and ignorance about cyber vulnerabilities and cyber security in the population as a whole leads to rich pickings in companies and institutions, for social engineers in particular, because people do not understand their function in a regime of digital hygiene,” he said.

This also persists at boardroom level, Glenny told a media briefing at the Palo Alto Networks End User Cybersecurity Summit in London.

Read More….

advertisement:

The post Popular #culture #key to giving #cyber security much-needed #boost appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

A #corporate culture of #cyber security #awareness: a #dream, or #reality?

Source: National Cyber Security News

In the last few years, cyber security has gone from an issue that’s important to only a small percentage of tech-oriented businesses, to a core priority for organisations of all shapes and sizes across the world.

As such, it’s now common for every business to have cyber security policies in place, and to spend considerable amounts of money making sure they have the software and systems necessary to protect against attacks from cyber criminals. With the Europe-wide General Data Protection Regulation (GDPR) coming into effect, this issue is gaining more prominence than ever before, and the inexorable digitisation of key business processes means this is a trend that’s unlikely to ever be reversed.

However, there’s more to cyber security than simply spending money on the right antivirus programs. To protect your company from the full range of threats out there, you need to be sure that your entire corporate culture is dedicated to the principle and taking the necessary action to prevent threats from developing. This should be the goal for any organisation – particularly given that many firms are not quite living up to this vision just yet.

Why is a cyber security-focused corporate culture so important?

Read More….

advertisement:

View full post on National Cyber Security Ventures

Why #developing an #internal #cybersecurity #culture is #essential for #organizations

Source: National Cyber Security News

ENISA published a report providing organisations with practical tools and guidance to develop and maintain an internal cybersecurity culture.

Understanding the dynamics of cybersecurity culture
The Cybersecurity Culture in Organisations report is based on a multi-disciplinary research, conducted to better understand the dynamics of how cybersecurity culture can be developed and shaped within organisations.

This research draws from different disciplines, including organisational sciences, psychology, law and cybersecurity as well as the knowledge and experiences of large European organisations. The report provides good practices, methodological tools and step-by-step guidance for those seeking to commence or enhance their organisation’s cybersecurity culture programme.

The idea behind the concept
Cybersecurity culture refers to the knowledge, beliefs, attitudes, norms and values of people regarding cybersecurity and how these manifest in interacting with information technologies. It reflects the understanding that the organisation’s actions are dependent on shared beliefs, values and actions of its employees, including their attitude towards cybersecurity.

While many organisations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life.

Read More….

advertisement:

View full post on National Cyber Security Ventures

What It Means To Have A Culture Of Cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

“So, how do I get my son back?” The famous line from Tom Mullen, Mel Gibson’s character in the 1996 flick Ransom, paints a clear picture of what we are dealing with today regarding cyberwarfare. But instead of our children being abducted, it’s our data that’s being held captive. Every…

The post What It Means To Have A Culture Of Cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The 3 Most Common Misconceptions About Cyber Defense — ‘Culture, Complexity, Commitment’

Source: National Cyber Security – Produced By Gregory Evans

Traditionally, tacticians in war have said, “The best defense is a good offense.” However, that statement couldn’t be farther from the truth when it comes to creating a cyberwar defense strategy. We spoke with Joshua Douglas, Chief Strategy Officer of Cyber Services at Raytheon, to uncover other misconceptions about best…

The post The 3 Most Common Misconceptions About Cyber Defense — ‘Culture, Complexity, Commitment’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Child sex abuse royal commission hears of Catholic brothers’ secrecy culture

A secrecy culture of “don’t ask, don’t tell” could explain historical allegations of child sex abuse within a religious order, the royal commission has been told.

The commission’s investigation into the response of the Catholic Church into alleged abuse heard from the De La Salle Brothers, an order which had one of the highest number of alleged perpetrators ministering between 1950 and 2010.

The order was subject 328 claims of sexual abuse, including 219 claims at its BoysTown facility in Beaudesert in Queensland.

Brother Ambrose Payne told the hearing that throughout the 20th century: “A sense of secrecy was part and parcel with the culture.

Read More

The post Child sex abuse royal commission hears of Catholic brothers’ secrecy culture appeared first on Parent Security Online.

View full post on Parent Security Online

We All Have a Race Problem (and Need to Discuss It) – The Intersection: Culture and Race in Schools – Education Week Teacher

We are all struggling with race. We are all operating in a racist society. Unless we talk about it, we can’t fixing it.

View full post on Education Week: Bullying







#pso #htcs #b4inc

Read More

The post We All Have a Race Problem (and Need to Discuss It) – The Intersection: Culture and Race in Schools – Education Week Teacher appeared first on Parent Security Online.

View full post on Parent Security Online

When Political Meets Personal: Classroom Conversations Post-Election – The Intersection: Culture and Race in Schools – Education Week Teacher

How much do I push back on this student, knowing my own opinion and biases will come into play?

View full post on Education Week: Bullying







#pso #htcs #b4inc

Read More

The post When Political Meets Personal: Classroom Conversations Post-Election – The Intersection: Culture and Race in Schools – Education Week Teacher appeared first on Parent Security Online.

View full post on Parent Security Online