When the Baldrige Program last year published the Baldrige Cybersecurity Excellence Builder—a self-assessment resource focused on cybersecurity—Steffani Webb was eager to adopt and share it with members of her team. As vice chancellor for administration at the University of Kansas Medical Center (KUMC), Webb had already been using the more comprehensive Baldrige Excellence Framework with her department’s staff to improve administrative operations since she assumed her position in 2011.
Webb and her KUMC colleague Tom Field, associate vice chancellor for organizational improvement, had established staff training to facilitate use of the Baldrige framework. Favorable results included higher engagement and morale among the KUMC support staff—and improved service to their internal customers on campus (as shared in a 2014 blog).
Webb’s learning experiences as a Baldrige Executive Fellow—and her and Field’s work as volunteer Baldrige examiners in recent years—heightened their appreciation for the systems perspective of the Baldrige framework and the self-assessment questions that make up its Criteria for Performance Excellence. Their familiarity with the Baldrige assessment approach made using the Baldrige Cybersecurity Excellence Builder (BCEB) relatively easy.
The BCEB integrates the core concepts and categories of the Baldrige Criteria with the concepts and principles of the National Institute of Standards and Technology’s Cybersecurity Framework. So in using the BCEB today, KUMC staff members are applying the same self-assessment approach of the Baldrige Excellence Framework to cybersecurity. “Our overarching purpose is to develop an action plan for cybersecurity using the BCEB,” said Webb of her Information Security Team’s work using the BCEB.
In the early stages of this work last year, Webb initiated key changes in the organization of KUMC’s information technology (IT) and information security (IS) functions to separate them and elevate the position of the information security director. John Godfrey, who had held the position, used to report to KUMC’s chief information officer (CIO), Webb explained. But with his input, she created the position of chief information security officer (CISO) and moved the director of information security position to report to the CISO. With separate departments today, the CIO and CISO both report to Webb, and the IS director reports to the CISO. “Conflicts of both interest and resource allocation can occur with the historical approach of having the information security officer report to the CIO,” said Godfrey, who was promoted to the CISO position in the restructuring.
The Information Security Team (pictured right) that is using the BCEB at KUMC now includes the CISO (Godfrey); the new IS director (Jeremy Pennington); a program manager within the CISO office (Daniel Cox); and four information security analysts (Joseph Nimoh, Alexeo Smith, Jason Sells, and Katie Bratman). Webb and Field have joined the team to facilitate regular discussions on the BCEB.
In addition to the BCEB, Godfrey explained, KUMC continues to use the NIST Cybersecurity Framework (or CSF, as he calls it). Describing the complementary value of the two NIST resources on cybersecurity, Godfrey said, “The BCEB addresses the process and delivery ‘side of the house’ throughout the organization, whereas the CSF is more technical and controls-focused. This is the key difference.”
Added Pennington, “The big difference I see here is that the BCEB allows us to bridge the gap and implement what is listed as necessary in the NIST Cybersecurity Framework.”
“A focus on the customer is inherent in [the process and delivery referenced by Godfrey],” Webb pointed out. “This team is really good at that.”
In a group interview, Pennington, Cox, Bratman, Sells, Nimoh, and Smith described how their use of the BCEB has helped them better understand their own role and to engage their customers (i.e., other employees within the medical center and key partners) in protecting the organization and helping to achieve the mission of the information security office.
“We have the concept that information security isn’t just done by our group here. It’s done by the whole organization,” said Cox. “[The BCEB] helps not just with the ‘how’ but with the ‘who,’ … by calling out specific relationships with suppliers, etc. This helps us organize on paper who [are] all the [stakeholders] we’re dealing with and how to get them involved, especially since information security should be an all-organization function.”
Nimoh, who is a newer team member, explained that before coming to KUMC, he found that being an IS staff member meant frequently “saying no” to other employees in order to protect information. However, “Information security [in this environment] is not just saying ‘no’ but, rather, explaining why,” he said.
Godfrey agreed, adding, “Our focus has changed from primarily operating as a team that ‘tells’ others what to do, to one that ‘asks’ for their help in achieving our mission. This approach has helped the team to achieve deeper levels of trust, cooperation, understanding, and overall effectiveness.”
“Security starts with everyone,” said Smith. “This framework is helping us, and it’s important to get all the other departments to see that because it takes all the other departments [to make this effective].”
According to Godfrey, many security professionals today are being pushed to use the language of the business more and technical language less. So he found the way the BCEB is written to be helpful. “One thing I found striking about the BCEB is that most of the content is written in the language of business, which then connects back to the language of technology and security,” he said. “There were instances where language in the BCEB caused us to reflect on what was meant because things can mean different things to different functions.”
“We’re a small group that receives a large and continuously growing volume of requests,” Webb said of the IS staff at KUMC. “This very customer-oriented group often felt underappreciated because customers were asking why things were taking so long.”
However, she said they gained new insights as they were responding to the self-assessment questions in the Organizational Profile, the prefatory section of the BCEB. “They realized they were doing things that they didn’t need to be doing and that they needed to develop a systematic approach to the intake of requests,” she said. “Thus, they improved their intake process.”
Cox added, “When we talk about the services we listed out [in the Organizational Profile] and our key initiatives, we’ve found new ways to relate to our customers.”
“As part of the process of going through this,” said Webb, “something that’s been helpful is the growing awareness of how they fit within the context of the broader organization.” She further explained, “They used to see all the burden of preventing cyber disasters as falling on them. Now they understand that it is a shared responsibility, including senior leadership. Now, when they see a need to make recommendations to the senior leadership to support risk management throughout the organization, they are empowered to do so. This team understands that they are not the ‘no people’ or the ‘yes people.’”
Webb attributes this new insight to the work not only of developing the Organizational Profile but also to using the BCEB questions in the six process categories, “all of which helped the IS staff better understand the roles, relationships, and leadership structures throughout the organization,” she said. “[The IS staff] now has a more holistic view of things.”
Sells agreed by describing his experience as a new team member: “When we started [using the BCEB] in May, one of the first things we talked about was the difference between being a reactive team and being an aligned and proactive team,” he said. “We’re still in the state operationally where we have to be able to do everything (due to our staff’s small size), but the BCEB has been helpful by showing us how we can delineate the different functional roles on the team.”
Bratman, too, affirmed that “in our discussion of roles and responsibilities on our team … as we sorted it out, it was really helpful.”
Webb explained that the group started responding to BCEB self-assessment questions in the last category (Results) first. “We started with category 7 so we could know our results and prioritize areas for improvement,” she said, “then we worked our way through the process categories.”
As an example of insights gained in considering the assessment questions, Webb described how, in relation to category 1 (Leadership), “the Information Security Team talked about the importance of building trust” in order to be effective in their work of supporting and educating other KUMC employees about cybersecurity risks.
Given that the Information Security Team wants to be accountable for its work, said Webb, but doesn’t have the power to control all risks, educating the rest of the workforce is critical to their success.
“We have a process now so that when [an employee] wants to do something that the IS staff considers too risky based on analysis, they have to sign off on a documented statement affirming they understand the specific risks and are choosing to go forward anyway due to business reasons,” said Webb. “This has made a huge difference in showing others [in the organization] how they are accountable for information security, too.”
She pointed out that the BCEB states that cybersecurity is a whole-organization responsibility. “When we have tools like this, we can take a difficult situation, apply what we’ve learned, and develop a new way forward,” she added.
The BCEB has further helped the team in regard to their communications and cybersecurity awareness activities. According to Godfrey, the IS staff has been using fish-shaped candies in its cybersecurity educational efforts, “handing them out to KUMC employees, to help educate them because phishing attempts through email currently are the number-one cybersecurity risk on campus.”
Pennington even dressed up as a fisherman last Halloween as part of his office’s campus-wide cybersecurity awareness efforts.
Refining measures related to the BCEB continues to be a work in progress, said Webb, particularly figuring out which results data are the most important for the organization to track.
According to Pennington, among two primary metrics for IS staff, the first are compliance-driven (a starting point), whereas impact metrics (including data on how the culture has changed to support cybersecurity) come with organizational maturity.
An impact measure related to behavioral change might be the number of compromised Internet accounts and the trend in those numbers, he said. Another impact measure might be the number of people proactively handling spam emails (i.e., forwarding them to IS staff before they are asked to do so because they recognize the risk).
“That’s also sort of an engagement measure, too,” said Webb. She suggested another measure of success is that the IS staff evidently looks forward to the group’s regular meetings about the BCEB despite its workload concerns.
As more examples of the positive impact of the IS staff’s work, Godfrey shared how a busy leader takes the time to flag suspicious emails and another leader sought guidance on how to craft internal communications so that they would not look like phishing attempts.
Godfrey further shared that KUMC has contributed to benchmark measures for use with the NIST Cybersecurity Framework. “We’ve done a self-assessment against the CSF. Since there aren’t common benchmarks for these, we worked with other health care organizations and aggregated data … so we can benchmark our maturity. We’ve helped to create benchmark data for our vertical and the region for the CSF.”
“The feeling is that we’re moving in a direction that is extremely positive and has the potential to be very successful,” said Cox. “You notice that in who’s talking about cybersecurity. … and the time that [non-IS staff members] have put into this. … not because something bad is happening but because we want to be successful. This framework has allowed us to open the door to a lot more people for this conversation.”
The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance.