Intelligent CIO North America Issue 14 | Page 46

CIO OPINION
Technology solutions must be able to properly support people and processes .
Use security frameworks for guidance
To achieve security objectives that lead to reduced risk and cyber maturity , cybersecurity frameworks are known to provide useful guidelines . To meet cyberresilience objectives , businesses can use specific aspects or combinations of frameworks , such as the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework or the Center for Internet Security ( CIS ) Security Controls .
The CIS Security Controls cover a prioritized set of actions to help organizations identify and protect their data from known attack vectors . From this list , the most critical controls to implement include inventories of hardware and software assets , continuous patch management , controlled use of account privileges , secure system configuration baselines , and the maintenance , monitoring and analysis of audit logs . Most of these controls can be achieved with technology that an organization already has in place . protect , detect , respond and recover . Since it ’ s not prescriptive , it provides businesses with guidance on the outcomes they need to achieve . It is then up to the company to define which capabilities they will need to develop to reach these outcomes .
These include understanding the environment and identifying vulnerabilities and gaps in order to better manage risks to people , data , assets and systems ; limiting and containing impacts resulting from attacks ; the timely detection of cyber events ; effectively responding to incidents and finally , recovery capabilities to restore normal , safe operations .
Businesses that establish or strengthen their capabilities in each of these five functional areas will be in a much better position to reduce the potential for adverse outcomes . Since no two organizations are the same , there isn ’ t a silver bullet for how to achieve cyber-resilience .
Nevertheless , building cyber-resilience needs to be a fundamental objective for every business . Since most organizations already have many of the required capabilities in place , they are able to use existing frameworks as a guide to identify gaps in their security posture – and address them by tweaking processes , acquiring specialist expertise and optimizing how they use technology .
The CIS Security Controls map directly to the NIST Cybersecurity Framework , which compiles industry standards and best practices into a cohesive format that organizations can use to better manage their risks . This framework is based on the five key functions required for cyber-resilience : identify ,
Not a one-and-done initiative , cyber-resilience is an on-going business effort that requires careful evaluation at every step of the journey . While the endeavour may sound overwhelming at first , the most important step that any company can take is to begin the process . p
46 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com