2. Turbo Agenda
Whatisthe NISTCybersecurityFramework?
Why YOUshould care?
How wouldIapplyit?
How wouldImeasuremy effectiveness?
3. Things to Ponder
205 Days until breach detected (APAC
Average)?
Can you say with certainty that you are100%
Secure?
Do you knowwith certainty that you haveNOT
beenbreached?
4. Heard on the street…
Of organizations believesecurity should be a top
orhigh priority of the business
Of CEO’s viewsecurity as a top orhigh priority to
the business
Of organizationscompletely agree that the
businesshasthe ability to defend itself from
securityattacks
7. Communication Gap?
Executive:
• Brand & Reputation of Business
• Ongoing Business Operations
• Risk to Customers
IT Team:
• Is riskat anacceptable level?
• What level of risk arewe exposed to?
• Arewe compliant with all the regulations that
apply to us?
• Is thecybersecurityplatform operating as
well as it should be?
• Whereshould wespend additional money?
8. The Survey Says…
Security Frameworks guide the way…
• 84% Leverage a security framework
• Broad range of company sizes
Wide Range of Frameworks Utilized
• 44% used more than one framework
• EOY 2016 - CSF (43%), CIS (44%) ISO (44%)
Best practice & requirements drive CSF adoption
• 70% adopted CSF because they consider it best practice
• 29% adopted CSF because a partner required it
Security Framework Adoption is a Journey
• Only 1 in 5 rank their organization as very mature
• More than half of CSF adopters require significant
investment to fully conform
Survey conducted by Dimensional Research, March 2016
316 IT and Security Professionals interviewed in US
9. Why Cyber Security Framework?
Asksthe question“whatareyoudoing toimprove” ratherthan“did
youimplement controlXYZ”
Results in a shiftfrom compliance to actionand specificoutcomes
Businessoriented
Has built-inmaturitymodel andgap analysis
No need to overlay another maturity modelon top of CSF
Measureswhereyou areand whereyou need to go
Can be implemented“piecemeal”as required,makingit moreappealing to
business
11. Objectives of CSF in a nutshell
Describe
Current
Security
Posture
Describe
TargetSecurity
Posture
Continuous
Improvement
AssessProgress
towards Target
Posture
CommunicateRisk
13. Framework Profile
(Where you are and where you
want to go)
Framework
Implementation Tiers
(How you view cybersecurity)
CSF Core
(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how
cybersecurity risks and processes
are viewed within an organization
•Required Tier based on
perceived risk/benefit analysis
•Identify
•Protect
•Detect
•Restore
•Recover
The Cyber Security Framework at 40,000
feet…
16. Risk Profile, Requirements & Resources
ISO/IEC
27001
NIST Cybersecurity
Framework
CIS Critical
Security
Controls
ISA
62443
“Normalization Layer”
Use CSF to “Normalize to Common Language
Existing Frameworks
17. CSF Component 2 – FrameworkImplementation Tiers
Partial
Risk Informed
Repeatable
Adaptable
How cybersecurity risks and processes are viewed within organization
Sophistication
18. CSF Component 3 – FrameworkProfile
Presents overview of present and future
cybersecurity posture
BusinessRequirements
RiskTolerance
Resources
Usedtodefine currentstate and desired state
Canhelp measure progress...
19. How is CSF Different?
Expresses cybersecurity activities in a common language
Leverages existing standards –does not reinvent the wheel –can map existing
processes/guidelines into CSF
Provides crucial guidance for reinforcing security controls while maintaining a focus
on business objectives
Provides a vehicle to effectively measurecybersecurityeffectiveness independent of
existing framework
Framework of frameworks – Leverages many different standards at the same time.
Identify
Understand what’s important to the business and what the risks are
Protect
Develop safeguards to ensure CIA
Detect
Find bad things
Respond
What you do when bad things happen
Recover
How to restore what the bad guys broke
Defines set of activities that achieve specific cybersecurity outcomes
Functions define 5 basic cybersecurity activities:
Identify, Protect, Detect, Respond, Recover
Closely align with existing methodologies for Incident Management
Categories subdivide functions into program needs and activities:
Examples: Asset Management, Event Detection, Access Control
Subcategories divide category into specific management or technical activities
Examples: Data in transit is protected, Malware is detected
Informative References are specific standards, guidelines, practices, etc
Maps into existing frameworks
Four Tiers that show how cybersecurity risks and processes are viewed within an organization
Required Tier based on perceived risk/benefit analysis
Tier 1 – Partial
Tier 2 – Risk Informed
Tier 3 – Repeatable
Tier 4 - Adaptive
Tier 1: Processes not formalized, risk managed ad-hoc and reactive. Cybersecurity activities not related to organizational risk objectives, threats, business requirements, etc
Tier 2: Risk management practices approved by management but not organizational wide policy. Cybersecurity activities related to organizations risk objectives, threat environment.
Tier 3: Risk management practices are formal policies. Cybersecurity practices updated continuously based on changing business requirements and risks.
Tier 4: Organization changes cybersecurity practices based on lessons learned and predictive indicators from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.