Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming. Do you pick the most popular framework for each area, or assemble a collection of applicable frameworks that all drive toward a common goal? There are literally dozens of frameworks to choose from, but the common underlying theme is this: create value for the enterprise. A realistic solution is to create a common core governing model that can link to the myriad standards, models and best practices available while meeting stakeholder needs.
As a former CIO of a managed service provider in North America, I’ve experienced the above. Our company provided outsourced IT services to more than 100 client companies, and we experienced some major issues. Chief among those issues was navigating through the multitude of standards, requirements and compliance needs for each of our tenant organizations. Everyone had different needs, and our charter was to satisfy those needs. Enter the growing demand for a strong cyber security program, and the formula became even more complicated.
We had a gap in our framework architecture that was exposing vulnerabilities in our cyber security posture. At the enterprise level, we used the balanced scorecard and COSO to determine the correct balance of performance and conformance, which was good. Now, skip down to the operational level. Here, we were haphazardly applying ‘checklists’ from the various popular frameworks and guidance. These included NIST Special Publications, ISO/IEC 27001, and the CIS Critical Security Controls. As you can probably guess, this is where we became overwhelmed. We had duplicate controls, wasted resources and pressure to meet every part of every security checklist.
There was a gap between enterprise governance and operations; we were missing a vital link. This was the perfect spot to consider the governance of enterprise IT, or GEIT. We needed a mechanism to link the frameworks between the enterprise level and operational level. From our cyber security perspective, we needed this link to be a “framework to manage our frameworks,” and that solution was leveraging the COBIT 5 and NIST Cybersecurity frameworks. This was important because by using risk scenarios as a driver, we could use COBIT and the NIST framework as the critical link, or what I call ‘middleware’ between our enterprise drivers and operational tasks.
This solution allowed our organization to focus our cyber security practices that supported stakeholder needs based on key areas that created value by optimizing our risks and resources. By following the implementation guidance in both COBIT and NIST, we were able to effectively govern and manage our cyber security risks and resources. What were the key benefits to adopting these two frameworks together? Here are the three top reasons for our organization:
- Both have solid implementation guidance. Although each framework has a suggested implementation methodology, they are easily mapped to each other and would be best used together for cyber security adoption. The COBIT implementation method offers a step-by-step approach to adopting good governance practices, while the NIST Cybersecurity Framework implementation guidance focuses specifically on the cyber security-related practices.
- The frameworks reference each other. Each of these frameworks notes where the other complements them. COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cyber security program as a part of an overall GEIT initiative.
- They both provide a holistic approach. One of the COBIT principles is called “Applying a Holistic Approach,” and focuses on a set of enablers. Think about these enablers as the ingredients to a holistic GEIT program. The NIST Cybersecurity Framework, on the other hand, is what I consider a holistic approach to a solid cyber security program by providing a framework core consisting of five functions (Identify, Protect, Detect, Respond and Recover), and includes activities, desired outcomes, and applicable references.
If you are overwhelmed with all of the cyber security options facing your organization and you’re not quite sure where to start, give this formula some thought. You may find that it is a great way to get a central governing model for your cyber security efforts.
Editor’s note: For more guidance on implementing the NIST Cybersecurity Framework using COBIT 5, view a new ISACA white paper here.
Mark Thomas, CGEIT, CRISC, President, Escoute LLC
[ISACA Now Blog]