This is the second in a recurring series that explores the cybersecurity principles and best practices found within the National Institute of Standards & Technology Cybersecurity Framework. You may recall from my first post that NIST organizes cybersecurity risk management into five high-level functions: Identify, Protect, Detect, Respond and Recover.
Placed within the Identify function is a category labeled “business environment,” which refers to an organization’s ability to inform its cybersecurity roles, responsibilities, and risk management decisions with a solid understanding and prioritization of its corporate mission, objectives, stakeholders and business activities. In short, business-specific needs should drive every network security program.
If your security program is not tailored to what your company does and what your company has, your organization is bound to be doing too little in some areas and perhaps even too much in others. I refer to this problem as having flat security. Mature security programs by contrast, to include both physical and cyber, consider and deploy different levels of controls (and different levels of spending) based on a continuous review of their business environment.
Unfortunately, many if not most companies fail to achieve this NIST Framework outcome. Consider the findings of one widely reported performance management survey, conducted by author William Schiemann, in which only 14 percent of employees properly understood their company’s overall strategy and direction.
If these characteristics strike a chord within your organization, you would do well to ask whether your Information Technology security personnel fall within the smaller group of employees who are in the know, or instead join the nearly nine out of 10 employees who haven’t been adequately informed of – and whose compensation isn’t tied to – your overall corporate goals. Senior leadership and Boards aren’t off the hook either. Every level of an organization must get educated and stay focused on the relationship between business and security. Has anyone in your company with either a business development, audit or risk role reviewed your security strategy to ensure it is customized to meet the differing business demands (to include legal requirements) of protecting confidentiality, integrity and availability where it matters most?
Read the full post on Security Magazine.