Whether an organization has a mature cybersecurity program in place or is in the early stages of implementing a cybersecurity program, many variables should be considered. During 2020, some cybersecurity risks were brought to the forefront. Most notably, the COVID-19 pandemic brought us a new remote workforce, and more recently, the SolarWinds security breach has put additional focus on vendor and third-party risk management. As organizations adjust their business models to address changing landscapes, cybersecurity risks should continually be assessed and cybersecurity frameworks should be implemented and/or updated to best align with organizational missions and strategies.
Should we put time, resources and funding towards a new vulnerability scanning solution or roll out multi-factor authentication? How would providing least-privileged user access affect our end users? Do our policies and procedures reflect remote operations and remote access? Who is responsible for vendor risk management and its inclusion of technology-related risks?
These are a few of the many questions organizations may be asking themselves to address the challenges that arise when implementing a cybersecurity control framework. Identifying your critical assets and significant operations will help your organization in answering these questions.
It is important to note that cybersecurity frameworks are not one-size-fits-all. There is guidance available, such as the NIST Cybersecurity Framework (CSF), to provide general direction on how to implement one. These frameworks identify fundamental areas of a cybersecurity framework and document internal controls that could be implemented within these areas. However, many organizations may spend unnecessary time and energy trying to capture all elements of these frameworks when the risk versus reward tradeoff is insignificant to the overall cyber risk landscape.
Cybersecurity threats have become more sophisticated and tend to rely on human intervention and end-user involvement. Devoting thousands or hundreds of thousands of dollars to specific software and technologies, with the hopes that frontline defense will secure everything, will not provide the threat mitigation that many organizations hope for. Cybersecurity should be prioritized as an organizational matter and not just one reliant on IT operations and security professionals.
To address challenges that may arise when implementing a cybersecurity framework, organizations should conduct a cybersecurity risk assessment to understand what are the greatest cybersecurity risks posed to the organization. Results of this risk assessment should be reviewed in alignment with an organization’s mission and business strategy. This collaborative review ensures that cybersecurity time, resources and potential funding are best placed in areas of the organization that pose the greatest risk to the ongoing business and operations.
The end goal of any cybersecurity framework is to establish internal controls that mitigate cybersecurity risks posed to an organization. Identifying the risks and potential controls is only the first step in implementing a cybersecurity framework. Finding the appropriate balance of time and resource allocation is the critical next step. To make the most of a cybersecurity framework, resources and funding should be allocated to ensure controls are in place to address the highest areas of risk without hindering business operations and strategic objectives.
For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.