1 Executive Summary
Organizations need to take a risk-based approach to cyber security. Adopting and using a cyber security framework provides a consistent approach irrespective of how the IT services are delivered.
As organizations undergo Digital Transformation the business impact of cyber risks increases. It is now not a question of “if” your organization will be the target of a cyber attach but “when”. This makes it essential that organizations manage these risks. There are several frameworks that organization could use to help to manage these risks and it may be difficult for an organization to choose between them. This report describes the most commonly used cyber risk management frameworks and identifies the factors that organizations should consider when choosing which one to use.
The adoption of a hybrid IT service delivery model and the race towards digital transformation have increased the challenges of managing cyber security. While the cyber security measures that large scale CSPs (Cloud Service Providers) implement often exceed those that a commercial organization has the skills or budget to afford, the overall responsibility for cyber security is shared and this can lead to errors due to misunderstandings. In any case the ultimate responsibility for managing access to organizational data usually lies with the user organization and many cyber incidents stem from failures by the service user.
There are several frameworks relevant to cyber security including ISO/IEC 27001 and more recently the NIST Cybersecurity Framework. This latter was developed in the USA based on a Presidential Executive Order (EO) 13636 – “to ensure the reliable function of their national critical infrastructure”. This Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. Similar legislation for the security of national critical infrastructure also exists in other parts of the world for example, the NIS Directive in Europe.
The NIST framework has gained popularity since it provides a core set of desired cyber security activities and outcomes using common language that is easy to understand. The Framework Core guides organizations in managing and reducing their cyber security risks in a way that complements an organization’s existing cyber security and risk management processes. It provides implementation Tiers that help to guide organizations to consider the appropriate level for their cyber security program.
Most organizations are implementing some of these standards and best practices and they may well be working effectively. However, many organizations are now using a Hybrid IT delivery model where some of the services may be delivered in house and some by third parties increasingly cloud based. In this Hybrid IT model responsibility for security is shared between the user organization and the service provider. Since each may be using their own chosen standards and best practices, this makes it difficult for the user organization assess the overall risks in a coherent manner.
This report provides an overview of the main frameworks for cyber security risk management and compares these with a set of essential characteristics.