“Our goal is to empower [organizations] of every size and every sector with the right tools to secure themselves in a [cyber] threat landscape that is ever-evolving. Static, checklist-style compliance just won’t do. In business and in government, we all must move towards dynamic, accountable approaches to cyber risk management.”
With those words, Deputy Secretary of Commerce Bruce Andrews announced the release of the Baldrige Cybersecurity Excellence Builder, a new self-assessment tool that integrates organizational assessment approaches from the Baldrige Performance Excellence Program with the concepts and principles of the Cybersecurity Framework developed by NIST’s Applied Cybersecurity Division. The purpose of the tool is to help organizations better understand the effectiveness of their cybersecurity risk management efforts and to identify improvement opportunities in the context of their overall organizational performance.
For nearly 30 years, the Baldrige Program has been helping to ensure the long-term success and sustainability of businesses and other organizations in the United States by providing a globally recognized and emulated standard of organization-wide excellence (the Baldrige Excellence Framework), organizational assessments and tools, and the sharing of best practices of role-model organizations recognized through the Malcolm Baldrige National Quality Award.
The Baldrige Program initially helped to address the quality crisis of the eighties. As the drivers of competitiveness and long-term success evolved, so too did the Baldrige framework. Today we offer organizations of all kinds a nonprescriptive leadership and management guide that facilitates a systems approach to achieving organization-wide excellence. In recent years, Baldrige has been a powerful agent of change and improvement in all sectors, most notably health care, and now we have the opportunity to help address another national crisis, cybersecurity.
It has been said that every organization falls into one of two categories: those that have suffered a cyber-attack and know it, and those that have been attacked and don’t know it. While that may be a slight exaggeration, considering there were an estimated 300 million cyber-attacks in 2015—only 90 million of which were detected—and an annual growth rate of approximately 40% in such attacks, it is pretty safe to assume that if you haven’t been attacked, you probably will be soon. As the drumbeat of daily news stories reminds us, protecting data, information, and systems has become a more urgent necessity for just about every organization.
The Cybersecurity Framework provides organization and structure to today’s multiple approaches to managing cybersecurity risk by assembling standards, guidelines, and practices that are working effectively in many organizations. With the Baldrige approach as applied to cybersecurity, an organization manages all areas affected by cybersecurity as a unified whole. In addition, the Baldrige Cybersecurity Excellence Builder, developed in partnership with the Applied Cybersecurity Division and cross-sector industry representatives, enables an assessment of the maturity of an organization’s approaches to cybersecurity and the results achieved. The assessment rubric guides users to determine the maturity level of their cybersecurity programs, processes, and systems—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation should lead to action plans to improve cybersecurity practices and management.
Like the Cybersecurity Framework and the Baldrige Excellence Framework, the Baldrige Cybersecurity Excellence Builder is not a one-size-fits-all approach to managing cybersecurity risk. It is adaptable to your organization’s needs, goals, capabilities, constraints, and environment.
Also, like both the Cybersecurity Framework and the Baldrige Excellence Framework, the Baldrige Cybersecurity Excellence Builder will rely heavily on public input. We invite interested users to visit our program’s website, download a copy of the draft Baldrige Cybersecurity Excellence Builder, and let us know what you think (there are instructions on how to provide feedback on the website and on the cover of the tool). Your input will be considered when it is updated and released as version 1 in Spring 2017.
Depending on industry interest and support, the next steps will be to add voluntary assessments, voluntary recognition, and/or voluntary best-practice sharing to help spread the use of the Cybersecurity Framework, the self-assessment tool, and of course, improve organizational and national cybersecurity preparedness.
Baldrige has become a catalyst for transforming organizations, and if the goals of this self-assessment tool are met, it will serve as a valuable instrument in helping organizations to better understand the robustness and effectiveness of their cybersecurity programs and practices. It also will help them in assessing how effectively those efforts align with and support larger organizational requirements, goals, objectives, and strategy.
We are excited to have the opportunity to be a part of a comprehensive initiative to help strengthen the nation’s cybersecurity infrastructure. Please join us by trying out the assessment yourself. Photo credits: ©Titima Ongkantong/Shutterstock, ©alexmillos/Shutterstock