Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

What Are Your Cyber Risks? A Systematic Way to Assess Cybersecurity

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization. 

By Dawn Marie Bailey
July 18, 2017

Imagine a scenario where you can’t log into computers or use the telephone, paychecks cannot be electronically processed, emergency services can’t access data or coordinate, front-line staff can’t conduct electronic transactions and service is delayed or halted. Such a scenario could be a cyber breach, where data protection for your customers, students, patients, businesses and others is essential.

Does your organization know its cyber risk?

Cyber Risk

Quoted in a 2017 Kansas City Business Journal article, Radware reports in 2016 49 percent of businesses were victims of cyber attacks. According to Juniper Research, quoted in a 2016 Forbes article, “rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019.”

Securing states’ information technology (IT) networks was the most pressing concern in the most recent survey of the National Association of State Chief Information Officers (NASCIO). According to Doug Robinson, NASCIO executive director, speaking at a recent National Institute of Standards and Technology (NIST) conference, “Cybersecurity is essential to preserve states’ abilities to effectively serve citizens during a targeted cyber attack, protect federal programs administered by the state, preserve the privacy of personal and sensitive information and support first responders.”

Resource to Assess Risk and Prioritize Improvements

 To help organizations assess cyber risk, a new standards based resource and free download from NIST’s Baldrige Performance Excellence Program was recently made available. (The federal Baldrige Program helps organizations of all sectors improve their performance.) Baldrige Cybersecurity Excellence Builder blends concepts from two recognized NIST frameworks: Baldrige Performance Excellence Framework and Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). Matt Barrett, Cybersecurity Framework program manager, said NIST’s free resources “take something that is highly technical and specialized for cybersecurity experts . . . and make it accessible to experts in other fields.”

Using the open-ended questions of the Baldrige Cybersecurity Excellence Builder, organizations can:security

  • Assess the effectiveness of risk management programs;
  • Determine cybersecurity-related activities that are important to strategy and the delivery of critical services;
  • Prioritize investments in managing cybersecurity risk;
  • Assess the effectiveness/efficiency in using cybersecurity standards, guidelines, and practices;
  • Assess their cybersecurity results; and
  • Identify priorities for improvement.

For organizations which currently use the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder can assist implementation in several ways, including at the senior executive level. It can also help assess the effectiveness of their use of the Cybersecurity Framework.

Speaking at a cybersecurity panel at the Baldrige Quest for Excellence© conference, Baldrige Program Director Robert Fangmeyer said the Baldrige Cybersecurity Excellence Builder is adaptable to meet any organization’s specific needs, goals, capabilities and environments. It guides users through a process that details their organization’s distinctive characteristics and strategic situations, and defines the organization’s current cybersecurity approaches. An assessment rubric lets users determine areas of relative strength and weakness. The completed evaluation can lead to an action plan to upgrade cybersecurity practices and management, implement improvements and measure progress and effectiveness, he said.

Steve Caimi, industry solutions specialist, US Public Sector Cybersecurity for Cisco, speaking at the same panel, added that the Baldrige Cybersecurity Excellence Builder helps organizations ask key questions: “How do we assess where we are in the organization [in terms of cybersecurity]? How do we measure our progress and dial the risk down to an acceptable level?”

Why Use the Baldrige Cybersecurity Excellence Builder?

JoAnn Sternke, superintendent of the Pewaukee School District (Waukesha County WI), speaking at the cybersecurity panel, said her school system uses the Baldrige Cybersecurity Excellence Builder to ensure that it is being proactive, intentional and systematic in how it looks at threats.

“We’re committed to student safety and privacy, and we’re committed to secure data,” she said, adding that the resource’s “nonprescriptive questions stretch us. When we can’t answer that question, it points to an area for improvement.”

Pewaukee’s IT Director Amy Pugh added that the school system uses the resource to assess how it is safeguarding student data, personally identifiable data, programming, staff data, payroll, hardware and software assets, the student information system and the financial management system.

Russ Branzell, president/CEO of the College of Healthcare Information Management Executives, speaking at the cybersecurity panel, said he uses the Baldrige Cybersecurity Excellence Builder to frame conversations: “Risk analysis has to occur . . . because there is zero possibility for us to absolutely secure the health care system in this country. [The Baldrige Cybersecurity Excellence Builder] is going to force the entire organization . . . to have the really hard conversations on how much and appropriately where they will be spending the money to secure the organization.”

How to Begin: Start Small

According to the panel speakers, start small to identify your organization’s cyber risk. Said Fangmeyer, “Read the questions. Discuss the questions. Then prioritize what area you should be paying attention to.”

Pugh recommends that organizations start with pages 4 and 5 of the Baldrige Cybersecurity Excellence Builder. “We answered where we could, we created action steps from there, and will continue the journey to get better.”

Download a free copy of the Baldrige Cybersecurity Excellence Builder to assess your own organization’s cyber risk.

Author: Dawn Marie Bailey is a writer/editor with fifteen years of government service and ten years working for nonprofits. She has a Master of Arts degree from George Mason University and a Bachelor of Arts from the University of Connecticut. She can be reached at [email protected]

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked *