Frameworks are great for consultant presentations, but are they relevant to how work actually gets done in the real world? No doubt I have seen my share of boil-the-ocean IT models. I, like most of the pragmatic business leaders of our clients, don’t have time for them. That is why I like identifying cyber risks in SMBs using the NIST Framework. It provides a sophisticated but practical approach for SMBs to identify and manage cyber risks in a way that works for each organization’s uniqueness.
In my last post, I shared an overview of the National Institute for Standards and Technology Cyber Security Framework (NIST) and the 5 “Functions in the model. This time, I want to demonstrate how we use the NIST model to more easily and quickly get our clients’ businesses into a stronger security posture one function or step at a time. These functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The first function in the model is Identify.
In the NIST Identify step, we:
1. Inventory the company’s systems, people, assets, data, and capabilities, then,
2. Structure the organization’s approach to managing cyber risks so it can prioritize its efforts, consistent with its risk management strategy and business needs.
In other words, we catalog everything that could be attacked or go wrong and then prioritize them in order to address them.
Inventory the company’s systems, people, assets, data, and capabilities
Our Inventory process combines a simple, straight-forward questionnaire with 3 technology tools. The questionnaire explores and challenges you to think about your current security-related policies, documentation, and procedures. The technology tools help us identify areas of risk in your technology stack along with seen and unseen interdependencies between your technology, process, and human beings that create vulnerabilities and operational threats. We involve everyone in the business that we can in the process because people are the root of good cybersecurity. We meet with various business leaders to discuss applications, third-party platforms, the flow of information, and their concerns. We interview finance, the office manager, operations, and key users who have the working knowledge required to create a holistic picture of the technology and operational environment. The process pulls all of the key players together for 1 to 2 hours of discussion. Then the technology tools are loaded, run, and removed within hours. The whole process takes about 8 hours total. It is designed to have little to no impact on your team’s productivity and produces a robust catalog of potential threats.
Most of our clients suffer from some inertia beforehand because they fear that the process will be time-consuming, difficult, and could expose shortcomings. They are surprised at how quickly and easily they can collect relevant details and feel relief from getting their arms around a comprehensive set of data they can use to create a plan to manage risk. Our clients typically achieve a deeper understanding of their business and the risks they never knew were threatening it. Many clients say, “I now know what I didn’t know.” They realize what they thought were common and reasonable business practices are really security vulnerabilities. The inventory allows them to prioritize and correct them and they are relieved to learn how easily the risk can be easily addressed.
In one case, we had a large client that had an old system that was rarely used but still in production (you know the one where a lone ranger in the company has to keep a system alive just in case…). Our analysis found that the old system had not been updated in years and allowed a security flaw in one of its modules to be compromised MONTHS before we arrived. Once we identified the hack, we fixed it with a simple update and then augmented the maintenance procedures to prevent an old system from either being neglected or remaining in production in the first place.
Structuring the organization’s approach to managing cyber risks
Unfortunately, most SMB organizations do not have robust risk management plans, if they have one at all. Using the inventory data above allows us to meet the client where his/her organization is and create the appropriate plan and solutions.
If a client does not have a risk management plan we jumpstart the process using the NIST Framework’s best practices and templates. If they do have a risk plan in place, we build into its existing structure to make it as robust as possible. When it comes time to prioritize the risks, we ask the client to prioritize them. Each business and its leaders define risk in many different ways (e.g. probability, financial repercussions, effort to address, investment costs, time, etc.). One person’s greatest fear is another’s greatest opportunity. We help guide and quantify the risk so the business can make an educated decision.
Moving from a prioritized list to actions is the easy part. Much of what we find can be addressed immediately with no user impact (e.g. a missing update or new version of firmware). The remaining items that have a business impact (cost, end-user disruption, etc.) get discussed, and we map out a plan for addressing them. Then we create a project plan or a series of helpdesk tickets to resolve each item quickly. We have clients on the simple end of the risk continuum that require simple risk management and solutions to maintain a secure environment, and clients on the opposite end that have complex businesses and environments. We meet with more complex clients regularly about security because they have checkoff sheets and processes that need to be followed, documented, and approved.
Conclusion: Identifying cyber risks in SMBs using the NIST Framework
SMBs must identify risks before anything can be done to mitigate them. A systematic approach like NIST is a viable way to ensure that there is a stable and robust cybersecurity posture. It all starts with the Identify function. The process may seem daunting at first glance, but it’s really not if you have the correct process, people, and support in place to execute it.
Are you truly comfortable with asking your IT people how they handle security and getting an answer like, “We do all kinds of stuff!”? Pragmatic business leaders are not. By identifying where your risks are, you can have a MEANINGFUL business-to-IT discussion about your risks. From there, you are in a position to move forward and determine the right plan to protect your people, systems, and data.
