Critical Security Framework MEASURING Security

Dick Bussiere | Technical Director | Asia Pacific

Turbo Agenda

What is the NIST Cybersecurity Framework?

Why YOU should care? How would I apply it? How would I measure my

effectiveness?

Things to Ponder

205 Days until breach detected (APAC Average)?

Can you say with certainty that you are 100% Secure?

Do you know with certainty that you have NOT been breached?

Heard on the street…Of organizations believe security should be a top or high priority of the business

Of CEO’s view security as a top or high priority to the business

Of organizations completely agree that the business has the ability to defend itself from security attacks

88%

68%

16%

IF YOU CAN’TMEASUREYOU CAN’TITCONTROL

IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE

Communication Gap?

Executive:

• Brand & Reputation of Business

• Ongoing Business Operations

• Risk to Customers

IT Team:

• Is risk at an acceptable level?

• What level of risk are we exposed to?

• Are we compliant with all the regulations that apply to us?

• Is the cybersecurity platform operating as well as it should be?

• Where should we spend additional money?

 

The Survey Says…Security Frameworks guide the way…• 84% Leverage a security framework• Broad range of company sizes

Wide Range of Frameworks Utilized• 44% used more than one framework• EOY 2016 - CSF (43%), CIS (44%) ISO (44%)Best practice & requirements drive CSF adoption• 70% adopted CSF because they consider it best practice• 29% adopted CSF because a partner required it

Security Framework Adoption is a Journey• Only 1 in 5 rank their organization as very mature• More than half of CSF adopters require significant

investment to fully conform

Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US

Why Cyber Security Framework? Asks the question “what are you doing to improve”

rather than “did you implement control XYZ” Results in a shift from compliance to action and specific

outcomes Business oriented

Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it

more appealing to business

Repeatable Flexible Technology

Neutral Cost Effective Measurable!

Common Language

Why Cyber Security Framework?

Objectives of CSF in a nutshellDescribe Current Security Posture

Describe Target

Security Posture

Continuous

Improvement

Assess Progress towards Target

Posture

Communicate Risk

A Framework of Frameworks

ISO/IEC 27001

CCS CSC1 ISA 62443

NIST SP 800-53 COBIT 5

NIST CYBERSECURITY FRAMEWORK

5 in 1!

Framework Profile(Where you are and where

you want to go)

Framework Implementation

Tiers(How you view cybersecurity)

CSF Core(What it does)

•Defines (measures) current state

•Defines (measures) desired state

•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization

•Required Tier based on perceived risk/benefit analysis

•Identify•Protect•Detect•Restore•Recover

The Cyber Security Framework at 40,000 feet…

CSF Component 1 – Framework Core

Framework Core

Identify

Detect

Respond

Recover

Protect

Structure

Risk Profile, Requirements & Resources

ISO/IEC27001

NIST Cybersecurity Framework

CIS CriticalSecurity Controls

ISA62443

“Normalization Layer”

Use CSF to “Normalize to Common Language

Existing Frameworks

CSF Component 2 – Framework Implementation Tiers

PartialRisk Informed

Repeatable

Adaptable

How cybersecurity risks and processes are viewed within organization

Soph

isti

cati

on

CSF Component 3 – Framework Profile

Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources

Used to define current state and desired state Can help measure progress...

How is CSF Different?

Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –

can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls

while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity

effectiveness independent of existing framework

Endpoint Assessment

Network Monitoring

Analytics

Event Monitoring

Ingredients to Measuring Compliance

Thank YouDick Bussiere | Technical Director | Asia

Pacific