Checkup: a physical for the enterprise
We get annual physical exams for our health. It’s time the enterprise did, too.
Daniel Chiang | October 21, 2015
As I get older, the importance of my health has become more and more of a priority. In college, I ate whatever I wanted, whenever I wanted, with little regard for the consequences. Now, as an adult, those loaded potato skins and chips inevitably show up on my next physical exam.
My consumption awareness mirrors the way many companies—especially late-stage startups and those in growth mode—view cybersecurity.
In the beginning, they could ship code in any way found to minimize disruption and maximize functionality, with little regard for the impact it could have on the consumer or the enterprise. Similarly, IT operations were more focused on availability, uptime, and overall support.
However, unlike me, there’s no clear “physical exam” to indicate the overall health of the organization when it comes to cybersecurity.
The case for an annual exam for the enterprise
Luckily, there’s growing industry awareness for the need for such an exam. As more and more corporate boards are asking “How are we handling cybersecurity?” after weekly reports of data breaches and loss of intellectual property, CISOs and executives alike need a centralized framework to visualize and gauge their approach to cybersecurity.
At Slalom, we believe that the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) represents the best framework to gauge an organization’s cybersecurity health. Released in 2014, the NIST CSF was designed by a panel of private- and public-sector cybersecurity experts in an effort to more closely align cybersecurity efforts across industries and regulatory compliance considerations.
Cybersecurity measurement tool
Slalom has developed a tool that leverages each of the five cybersecurity functions within the NIST framework:
- Identify: Do you know what’s in your environment and who’s responsible for it?
- Detect: Can I detect errors, attacks and other cyber incidents within my environment?
- Protect: Am I adopting industry-leading practices for encryption and other data protection measures?
- Respond: Can I effectively respond to incidents when they occur to minimize impact to the business and eliminate secondary threats?
- Recover: What measures do I have in place to fully recover any operational or reputational damage?
Each section is then evaluated through a questionnaire against a maturity rating of one to four in three areas:
- Completeness: To what degree is this function being performed?
- Resourcing: To what degree is this function appropriately resourced?
- Timeliness: To what degree is this function updated or maintained in a timely manner?
Using the questionnaire, the resulting output looks something like this:
Cybersecurity health benchmark
Slalom has several benchmarks pulled from industry publications and other standards which show the average across the industry. Using this information, an organization can clearly tell how it stacks up against the competition and when completed on an annual basis, how its cybersecurity functions are performing year over year.
A person’s health is a complex calculation based on many physical and environmental factors. An organization is no different. Just as an annual physical exam gives you a strong sense of how your overall health year over year, Slalom’s NIST CSF tool can provide organizations with a strong sense of how they’re handling cybersecurity annually.
To learn more about the tool and how Slalom can help you handle your cybersecurity challenges, please contact us at firstname.lastname@example.org.
Now if you’ll excuse me, I’ll be at the gym working off those loaded potato skins.
Daniel Chiang is no longer with Slalom.