Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Jacqueline Calhoun
October 15, 2018
How do you know as a government leader if you are doing enough to address cybersecurity risks? One way to find out is to assess your organization’s cybersecurity performance using a tool based on two frameworks developed at the U.S. Commerce Department’s National Institute of Standards and Technology (NIST): the Baldrige Cybersecurity Excellence Builder (BCEB).
The BCEB is a voluntary self-assessment tool that enables leaders of any organization to better understand the effectiveness of its cybersecurity risk-management efforts. It helps the organization identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization’s operational and strategic objectives, as well as the needs and expectations of key stakeholders.
The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF) the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.
Defining Leaders
The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.
The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:
1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?
1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?
Assessment Scope
Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.”
Getting Started
Not Ready, Start Here
If your organization is not ready to complete the full self-assessment after completing the Organizational Context, consider doing a self-assessment using just one category or item in which you need improvement. Answer the individual questions in the selected category; then, when ready, conduct a full self-assessment to reveal key linkages between your chosen category and the other items. This will enable you to gain a systems perspective as embodied in the seven integrated categories.
Additional Support
View a webcast for a brief overview on integrating the BCEB with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Start learning about the BCEB as you begin to plan for a self-assessment of your cybersecurity risk management system. For hands-on leadership development, leaders in any sector may also find it beneficial to apply to participate as part of a year-long cohort of the Baldrige Executive Fellows Program to learn how national role-model organizations are using the Baldrige Excellence Framework to maintain high performance.
Author: Jacqueline Calhoun is a senior staff member of the Baldrige Performance Excellence Program at NIST. A current member of the federal program’s Marketing and Partnering Team, she also has led and served on teams since 1993 directing publications management and volunteer training and workforce development. Prior to her work with the Baldrige program, she worked as a physical scientist in the NIST Physics Laboratory, Center for Radiation Research.
Follow Us!