Three Steps to Managing the Business of Cybersecurity Risk Management



The NIST Cybersecurity Framework (NIST-CSF) was created under Executive Order to provide a uniform standard that government and businesses could adopt to guide their cybersecurity activities and risk management programs. The NIST Framework has now been approved as the governing framework for the US government, a growing number of critical infrastructure sectors (financial services, healthcare, energy etc.) and an extensive list of international governments.

In December of 2019, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued guidance to provide an overview for business executives and board members on cyber risk management. This guidance provides context related to the fundamental concepts of cyber risk management techniques but is not intended to be a comprehensive guide to develop and implement technical strategies (that is what the NIST Cybersecurity Framework and its Informative References are for). Refer to the table below for additional context on the intended audience and use of the COSO guidance.

Current cybersecurity training and consulting programs come up short in teaching organizations the skills they need to assess, engineer and implement a COSO aligned enterprise cybersecurity risk management program.
COSO’s guidance is designed to help enterprises prioritize its cybersecurity investments by aligning those investments with the organizations cybersecurity risk management policies.

Listed below is a three-step program on how to adopt and adapt a COSO/NIST Cybersecurity Framework practice capable of helping organizations design, implement and manage the business of cybersecurity risk management.

Managing the Business of Cybersecurity Risk Management

Step #1 – Get Digital Ready

Modern enterprise organizations are vestiges of the Industrial Era. They were created, built and organized in and for a different time. This includes the physical and logical manifestations of our enterprise organizations: buildings, capital investments, organizational structures, policies and procedures and, bluntly, most everything about how the typical enterprise organization works. But more importantly, it also includes the very essence of our organizations: their culture.

Culture is why most digital transformation efforts fail. A successful digital transformation is not, in fact, a technology-driven endeavor. It is first and foremost a cultural and organizational transformation. Digital technology, such as video streaming and the internet of things, are merely the catalysts and then ultimately, the product.

More than that, however, an effective digital transformation should not be undertaken to develop a specific “digital capability,” but rather should be focused on developing a “cultural capability” that will ready the organization for the unique pressures and demands of the digital era – an agile organization.
The digital era will place demands on enterprises that will run counter to most of the well understood operating paradigms of the past. Multi-year planning cycles are being replaced with dynamic strategies. Product cycles, both in terms of development, as well as in terms of marketability, have shortened dramatically. Competitors are emerging at a more rapid rate and from unforeseen quarters as barriers to entry fall. Most industries are seeing these things happen right now.

Driving the transformation of an organization into a Digital Enterprise is a significant effort. It will require that you address virtually every aspect of your operating business model: organizational structure, business processes, operational functions and, of course, technology strategy.
Those organizations that are successfully making this transition are doing so by developing four specific cultural capabilities that we deem the Digital Enterprise Readiness Framework:

• Operational Sustainability
• Organizational Agility
• Strategic Agility
• A Disruptive Culture

The road to being a “digital ready” enterprise starts at the operational level. That may sound counterintuitive, but an organization cannot begin to think about successfully executing a digital transformation without a sound base of organizational discipline. After sound, operational discipline is established in the culture, the organization must address organizational agility, strategic agility and finally, the organization must have a disruptive culture. These are the “dimensions” of the Framework.

Operational Sustainability does not necessarily equate to the highest levels of operational maturity or completely robust process definitions and operations. Rather it means the organization is operating efficiently with repeatable processes. The organization accepts “just enough” process or what is adequate as opposed to optimizing.
Organizational Agility is not just about the ability to change direction. It is the ability to rapidly adjust the structure, operating processes and/or functions of your organization to adapt to changing market conditions. It demands that organizations and their leadership can reduce structure and process, as necessary to enable the organization to respond more rapidly and effectively.

Strategic Agility is the ability to know when to pivot, whereas Organizational Agility is about the organization’s ability to pivot when directed. Organizations must reduce their reliance on long-term strategic planning and instead create the capability within the organization to continuously monitor shifts in the market and emerging technologies. They must dynamically shift the organization’s strategic direction and vision to create competitive advantage and mitigate competitive disruption. It is about rapidly recognizing your external threats and internal weaknesses and exploiting external opportunities and internal strengths.

Disruptive Culture is willingness to challenge the status quo, embrace innovation, experimentation and “fast failure” and which is perpetually focused on what’s coming next. The culture must permit continual disruption in every facet of the organization, including: technology, business models, industry dynamics, offshoring and outsourcing strategies, regulatory management, etc. It must do it in a constructive and not destructive way.

These four dimensions are the building blocks of readiness, ensuring that your organization has the necessary combination of stability, agility and an openness to change in order to complete the transformation into a Digital Enterprise. The Framework defines specific attributes within each dimension that are indicative of readiness.
These attributes have then been converted into a data model, which enables you to objectively assess your readiness, identify areas that may inhibit transformational efforts and then track your progress.

itSM Solutions in partnership with the Institute for Digital Transformation has developed the Digital Enterprise Readiness Fundamentals Training Course and Assessment based on this Framework. Each of the four dimensions is broken down into attributes and characteristics which can be measured. The data is then analyzed to determine whether they are Not Ready, Preparing, or Ready to success in a Digital Transformation.

Step #2 – Adopt and Adapt the COSO and NIST Frameworks

Current cybersecurity training programs come up short in teaching organizations the skills they need to assess, engineer and implement a cybersecurity program that aligns with the enterprise risk management guidance provided by COSO that is designed to help enterprises prioritize its cybersecurity investments by aligning them to its cybersecurity risk management policies.

The NIST Cybersecurity Professional (NCSP) Design & Operations certification training programs are the industry’s first accredited cybersecurity certification training program based on the NIST Cybersecurity Framework (NIST-CSF) and COSO’s Enterprise Risk Management Framework.

The NCSP Certification Training Programs teach organizations how to:
• Assess itself in order to understand its current cybersecurity state
• Design a cybersecurity program using NIST-CSF informative reference controls to realize its future cybersecurity state
• Implement & Operationalize a Continual Implementation & Improvement Management System (CIIS) to automate, sustain and continually improve its future cybersecurity state.

For IT, Cybersecurity, Risk Management Professionals

NCSP courses teach the knowledge, skills and abilities to assess, design, implement, operationalize and continually improve the cybersecurity controls & management systems associated with a NIST Cybersecurity Framework program.

For Cybersecurity Auditors & Regulators

NCSP courses teach the knowledge, skills and abilities to understand what core & mission critical capabilities (controls, management systems, workforce skills etc.) need to be in place in order to comply with an organizations cybersecurity risk management policies and regulatory requirements.

NCSP Foundation Certification with Exam Voucher

This APMG and NCSC/GCHQ accredited one day course is targeted at IT Cybersecurity and Auditing professionals looking to learn the fundamentals of Digital Transformation, Cybersecurity Risk Management, NIST Cybersecurity Framework and NIST-CSF Management Systems.

The course is based on the Framework for Improving Critical Infrastructure Cybersecurity, version 1.1 and qualifies for PMI, CompTIA and ISACA Professional Development Credits

NCSP Practitioner Certification With Exam Voucher

This APMG and NCSC/GCHQ accredited four day course teaches students how to apply a best practice approach to designing an enterprise risk management cybersecurity program based on the NIST Cybersecurity Framework Informative references and management systems.

The course is based on the Framework for Improving Critical Infrastructure Cybersecurity, version 1.1 and qualifies for PMI, CompTIA and ISACA Professional Development Credits

To sit NCSP Practitioner exam your must have completed the NCSP Foundation training program and passed the corresponding exam.

NCSP Assessment & Program Management Training

The NCSP Assessment and Program Management training program is based on the CyberStrong™ platform from CyberSaint Security. The training enables candidates to learn how to engineer, implement and operationalize an Integrated Risk Management platform as part of a NIST Cybersecurity Framework program. Focus areas include:

• Assessment Automation Training
• Digital Risk Management Training
• IT Risk Management Training
• Vendor Risk Management Training
• Compliance Risk Management Training
• Audit Management Training
• Governance Management Training

Step #3 – Upskill Your Workforce

itSM’s NIST cybersecurity workforce training program is built around a 3-academy training model designed to up-skill an existing workforce plus provide a pathway to train-up the new interns to fill an organizations ever changing and expanding cybersecurity workforce.

The three academies include:

• Knowledge Academy – Online Certification training’s where candidate learns the Knowledge of cybersecurity using industry leading cybersecurity programs.

• Skills Academy – Online or In-Class Lectures and Practice Lab training’s where the candidate learns the hands-on Skills associated with cybersecurity and the NIST NICE cybersecurity frameworks.

• Abilities Academy – Online Problem Analysis & Remediation Training Courses where candidates work to solve real world NIST cybersecurity problems in collaboration other candidates and industry mentors.

Please contact if you would like to set up a call to discuss the programs listed above in more detail.

Share with your Friends