The importance of (CSFs) Cyber Security Frameworks
By Andy Norton, European Cyber Risk Officer
Since 2013 when President Obama signed Executive order 13636, new regulations and legislation have been implemented all around the world that mandate higher levels of cyber resilience from organisations that are deemed essential, critical, or hold Personal information on citizens.
This new wave of legislation has teeth and carries significant penalties. Around the globe, various CSFs have been designed to interpret the desired outcomes of the legislation and detail implementation steps to ensure a best practise adoption of the legislation.
CSFs offer key benefits
- Systemic safe harbour response
CSFs provide Cyber Herd Immunity; they are the acknowledged industry-wide appropriate and proportionate set of security measures that reduce exposure from idiosyncratic guesswork permeating risk analysis and security implementation.
- Strategic Alignment
A CSF provides a common language and platform for all protagonists in an organisation to buy into and understand their role. A CSF is an agreed written constitution that establishes trust in board level assertions in assurance and certainty and value recognition in operational and functional activity to support the strategic direction.
- Accountability and TangibilityA CSF establishes leadership and cultural principles of cybersecurity at the heart of an organisation leading to clarity and accountability in defined levels of resilience, in addition, a CSF allows for the creation and sharing of common metrics and indicators facilitating a peer review and systemic comparison of functional capabilities and maturities in various cyber disciplines.
- Legal Protection and Profitability
Gartner predicts 75% of CEOs will be liable for Cyber-Physical attacks by 2024. To minimise the civil liability of the defending organisation, certain legislation acknowledges that it is a valid defence of the organisation to demonstrate they took all reasonable steps and diligently implemented controls in accordance with CSF requirements to avoid a security compromise. In addition, certain frameworks reward organisations that can also demonstrate diligent levels of implementation and attain standards of defined maturity and capability by being able to return higher levels of gross profit margins.
A CSF has been noted in many research papers to have had other benefits to organisations, A non-exhaustive list ranging from.
- Less friction, Boards, Business units, IT, Networks, and Security have demonstrated better working relationships after the adoption of a unifying CSF.
- More agility, A CSF allows for a better understanding of priorities and required responses to a changing environment and aligns all departments to unite and adapt as one.
- More certainty, A CSF requires organisations to adopt a best practise approach to risk management, this results in higher levels of confidence to resist attack and produces key performance indicators to measure levels of resilience.
- Better performance, Organisations with CSF adoption consistently outperform their peers who have lesser capability in governance oversight.
- Diligent budgeting and justifiable expenditure. In the absence of a well-understood strategy with supporting risk analysis and defined priorities, investment in cybersecurity is often influenced by a subjective belief in vendor silver bullet technology, or expert and cognitive bias, or binary thinking. History tells us this approach does not return the desired outcome. A CSF allows for spectrum thinking and a non-biased, well-understood investment strategy in cyber operations.
Every time a board member asks the question “If we do this, will we be secure?” they have either become annoyed and frustrated or misled by the answer. CSFs enable reasoned and considered dialogue. Changing that question to “If we do this, how much more resilient will we be?” will return a much better and easily understood answer.
If you do this, you will achieve the highest level of capability and maturity in controls that address the requirements stated in the existing risk analysis. There are never any guarantees, but you will attain a level of resilience regarded as the pinnacle of governance under industry and regulatory recognised best practise prescribed in a CSF.
That is a good place to be.