2017 brings a new focus and urgency to improving cybersecurity at all levels of our society. While a fierce debate rages in Washington, DC over the cyber-intrusion impact on the US presidential election results, our clients are working to strengthen their risk management programs to propel their businesses forward in a safe and profitable way. Many of our clients are utilizing the NIST Cybersecurity Framework (CSF) to guide their efforts.
A key component of the NIST CSF is the use of “implementation tiers” to determine the level of sophistication required to appropriately mitigate cybersecurity risks through an “Integrated Risk Management (IRM) Program”. According to the NIST CSF, “the tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” Below is a summary of the NIST CSF related IRM characteristics supporting each implementation tier.
Tier 1: Partial
There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
Tier 2: Risk Informed
There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis.
Tier 3: Repeatable
There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
Tier 4: Adaptive
There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
Gartner also recommends an integrated risk management (IRM) approach to build and sustain successful risk management programs. Under the Gartner definition, IRM focuses on six attributes within three key dimensions of framework, metrics and systems:
- Framework —
- Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership;
- Assessment: Identification, evaluation and prioritization of risks;
- Response: Identification and implementation of mechanisms to mitigate risk
- Metrics —
- Communication and reporting: Provisioning of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
- Systems —
- Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls;
- Technology: Design and implementation of an IRM solution (IRMS) architecture
Our recently published “Risk Management Program Primer for 2017” (available with Gartner subscription) details how companies can incorporate frameworks like NIST CSF into the development of a successful IRM program. In addition, you can discover more about our risk management research agenda and areas of focus for the upcoming year.