Implementing a cybersecurity framework to facilitate business innovation
Empowering organizations and nations around the world requires a security-by-design approach, meaning that security is considered from the beginning of all technology projects. Groundbreaking innovations in the world of technology are changing businesses and business models, connecting people to services that offer convenience and flexibility, and forcing entire industries to reimagine their futures.
The rapid digital advancements organizations are making and the disruptions they cause are increasing the risk of cyberattack. Digitization is enabling organizations to deliver unique, connected, data-driven, on-demand customer experiences at a rapid pace, resulting in an increase in inherent cyber risks.
The challenges faced by organizations around the world were examined and the bottlenecks, as well as the inherent risks in business models, were addressed through the release of a cybersecurity framework. This framework encompasses four key areas that are critical to cyber defense and resilience. The framework is supported by a number of guidelines that cover each identified area in depth and provides a consistent methodology for achieving a target level of cybersecurity maturity that is commensurate with an organization's risk levels.
It is well known that digital transformation is the catalyst for the proliferation of more services, experiences and benefits for customers - bringing increased revenue opportunities as well as risks. Cybersecurity is particularly important to organizations around the world because of the following inherent issues and risks:
- Digital: The inherent nature of many products and services makes cybersecurity particularly challenging for organizations.
- New business models: The increasing adoption of direct-to-consumer models means that organizations will have to assume unprecedented end-to-end cybersecurity risks.
- A connected world: More and more devices are connecting to the Internet and each other through the IoT, exponentially increasing the number of potential entry points for cybercriminals.
- Data-driven customer experiences: Organizations collecting more data offers a real competitive advantage to organizations and forces a balance to ensure customer trust and loyalty while protecting their customer base and business.
- Lower customer switching costs: Many segments have lower customer switching costs than traditional industries. Customers can quickly and inexpensively switch to other providers if companies have real or perceived cybersecurity vulnerabilities.
I. Developing a framework to better respond to threats, vulnerabilities, incidents and crises
As part of the development of the framework, a series of activities are conducted, including, but not limited to, an assessment of the current situation, a gap analysis and a benchmarking exercise. These activities ensure that the final outcome reflects the nuances of the sector, the current challenges of organizations, the gaps in control, and the best practices observed in all regions of the world.
The starting point for the development of the framework is an understanding that a one-size-fits-all approach is not ideal for a complex and evolving sector. Digital is undergoing rapid change and technological advancements as part of the dynamic vision of organizations around the world and as a result of the innovation landscape and trends that can be observed globally.
Therefore, organizations should be encouraged to adopt a level of cybersecurity maturity that matches the level of complexity of the organization being assessed. The structure of the framework, essentially the building block or foundation, should be widely brainstormed, given its importance, and should ultimately result in a six-level model.
The framework should also include four suggested areas that are critical to an effective cybersecurity defense program: vulnerability, threat, incident, and crisis management.
II. The broader impact of the digital sector on a national and global scale
As more nations launch a new generation of gigaprojects and accelerate their modernization efforts to create a sustainable, investor-friendly business environment, an onslaught of digital technologies is inevitable. The drive to build the foundation of a digital nation is stronger than ever, and it will require high levels of collaboration among digital businesses, which are the critical enablers of a digital nation-state. The changing dynamics of the sector and evolving digital transformation plans around the world are continually driving international organizations to innovate and explore new technologies and delivery models.
With the many digital transformation initiatives globally, the importance of cybersecurity to the national economy and citizen and business outcomes is enormous. Multiple initiatives should be taken to improve the overall digital cybersecurity posture of nations and the digital sector, such as the creation of a national cybersecurity authority, a specific cybersecurity framework, and a national cybersecurity strategy.
III. An approach to developing and implementing a framework of practices to strengthen organizational resilience
A. Develop a library of best practices
Although organizations are growing rapidly on a global scale, they may remain underdeveloped in terms of cybersecurity procedures. Based on interviews with key organizational stakeholders, it was observed that many organizations and their employees still do not fully understand their cybersecurity duties and obligations. While the need to conduct an assessment of the current state of affairs should be evident from the internal discussions, challenges may remain in identifying the best way to proceed. Through multiple brainstorming sessions, it is possible to agree that a library of best practices should be defined and consist of cybersecurity best practices, while leveraging industry standards such as ISO (International Organization for Standardization) 27001, NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and BS (British Standards) 11200.
B. Current State Analysis
After designing the methodology and approach for conducting a current state analysis, the next step is to identify a set of organizations to be included in a pilot assessment. To ensure the pilot exercise runs smoothly, it is recommended that a digital tool be used to capture responses from organization representatives and help consolidate responses across the pilot organizations. Responses are aggregated to prepare dashboards that provide an industry-wide view as well as an enterprise-level view to help the nation and organizations understand the existing cybersecurity posture.
Benchmarking allows the respective nations to understand effective cybersecurity procedures developed by other nation-states (and possibly their critical sectors) and global practices. If the need is clear, the procedure for conducting the benchmarking exercise must be addressed and finalized.
D. Gap Analysis
The gap analysis shall be based on the results obtained from the company profiling, the domain assessment performed for a sample of IT companies, and the results obtained by comparing the nation's current capabilities to the leading global cybersecurity practices observed in the countries assessed.
A gap analysis report should be generated based on the analysis and should highlight the key areas of improvement observed with respect to the four cybersecurity domains. The gap analysis should be divided into two sections: the national or sector level gap analysis and the organizational level gap analysis.
E. Framework and Guidelines
In order to improve the digital cybersecurity posture, nations should embark on a path that ultimately contributes to the development of a framework and guidelines comprising four areas: vulnerability, threat, incident, and crisis management. The publication of the framework and associated guidelines allows companies to reach the required level of maturity and put in place a robust infrastructure and the necessary cybersecurity controls.
Sector-specific cybersecurity frameworks are a trend that will continue to grow as they take into account sector-specific technical expertise and move away from a national framework that is more tailored to the needs of the sector. This approach in defining the framework as well as a set of guidelines that support the implementation of the framework is leading, as it not only considers the size and complexity of the business, but also addresses the needs and requirements of the sector standards, applicable regulatory frameworks.
It is important to note that a one-size-fits-all approach will not necessarily work in a dynamic and volatile industry. Therefore, a tailored approach that takes into account the size and complexity of the organization in question is assessed before identifying the required level of maturity. It is therefore important that sector authorities understand the essence of this framework and pay attention to the level of detail and granularity into which the digital sector framework and guidelines dive.
To be cyber-resilient, organizations must constantly ask relevant stakeholders about cyber-attacks that may affect different units and consider cybersecurity risks and threats throughout the technology implementation lifecycle.