Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Blogrige

The Official Baldrige Blog

Be Ready! What Leaders Can Do to Protect Organizations Against Cyberattacks

Woman sitting at table in front of window on an iPad with cyber security icons around.
Credit: Wright Studio/Shutterstock

Leadership Responsibility

Leaders today must learn how to proactively increase the chances of protecting their organizations and customers from the ever-increasing threat of cyberattacks. That’s because an organization’s leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. As Microsoft founder Bill Gates stated, “Security is, I would say, our top priority because for all of the exciting things you…do with computers, organizing our lives, staying in touch with people, being creative—if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed. People won’t use their credit cards quite as much and buy things, and so it’s really the thing we got to get right so that people don’t think about it.”

Are Leaders Ready?

According to a recent Harvard Law School Forum on Corporate Governance and Financial Regulation article, “Many companies now have in place technology designed to identify anomalies and threats. They also likely have written policies and procedures intended to provide a roadmap in the event that a cybersecurity incident occurs. All these tools and written procedures may well be ‘state of the art’ in that they may reflect and embody what is understood to be general best practices. But as with any system or written policies, they alone may be insufficient to address the risks.” 

So how do leaders know if they are doing enough to address cybersecurity risks? One way to find out is to assess the organization’s cybersecurity performance using the Baldrige Cybersecurity Excellence Builder (BCEB).

The BCEB Can Help

The BCEB is a voluntary self-assessment tool that enables an organization to better understand the effectiveness of its cybersecurity risk-management efforts. It helps the organization identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization’s operational and strategic objectives, as well as the needs and expectations of key stakeholders.

 

Chart showing relationship between the Framework for Improving Critical Infrastructure Cybersecurity and the Baldrige Excellence Framework for the Baldrige Cybersecurity Excellence Builder.

The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF)  the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.

Defining Leaders

The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.

The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:

1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?

1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?

Assessment Scope

Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.” 

 

Steps to using BCEB: Scope, Organizational Context, Process Questions, Results Questions, Assess Responses, Prioritize Actions; Develop Plan, Measure and Evaluate Progress.

Getting Started

  1. Read the BCEB from cover to cover. It’s a short, easy-to-read booklet and includes additional information on how to perform an assessment.
  2. Respond to the questions in the Organizational Context section. This will help ensure that you are focusing on your most critical needs. If you identify important topics for which you have conflicting, little, or no information, you may want to get clarity on these before moving on.
  3. Answer the process (categories 1-6) questions to document your organization’s key cybersecurity-related processes. Answer the results (category 7) questions, which will help you understand the effectiveness and impact of your cybersecurity efforts. In completing the questions, leaders may discover blind spots in the cybersecurity management system that you have not considered or areas where you should place additional emphasis.
  4. Assess your responses by using the assessment rubric. The rubric will help you to assess your cybersecurity risk management program’s maturity level and determine if your processes and results are reactive, early, developing, mature, leading, or exemplary.
  5. Prioritize your actions and develop an action plan. Use the self-analysis worksheet to indicate the importance (high, medium, low) of each item to the successful management of cybersecurity within your organization. Prioritization will help you develop an action plan that most effectively uses resources.
  6. Measure and evaluate your progress in achieving specific improvement goals. As you continue to use the BCEB, you will learn more about your organization and begin to define the ways to build on your strengths, close gaps, and innovate.

Not Ready, Start Here

If your organization is not ready to complete the full self-assessment after completing the Organizational Context, consider doing a self-assessment using just one category or item in which you need improvement. Answer the individual questions in the selected category; then, when ready, conduct a full self-assessment to reveal key linkages between your chosen category and the other items. This will enable you to gain a systems perspective as embodied in the seven integrated categories.

Of course, leaders have numerous other options to select from to achieve the objective of improving their organization’s cybersecurity management system. But by taking a Baldrige-based approach to self-assessment, the organization—no matter its sector or size—will be on the way to improvement and cybersecurity excellence.

Cybersecurity Webcast: What's Up Next?

View the webcast for a brief overview on integrating the BCEB with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Start learning about the BCEB as you begin to plan for a self-assessment of your cybersecurity risk management system.

Submit Lessons Learned

The Baldrige Performance Excellence Program invites you to baldrige [at] nist.gov (submit your BCEB lessons learned and comments).

Hands-On Leadership Development

Leaders in any sector may also find it beneficial to apply to participate as part of a year-long cohort of the Baldrige Executive Fellows Program to learn how national role-model organizations are using the Baldrige Excellence Framework to maintain high performance.


Improve Your Organization’s Cybersecurity Risk Management Efforts

Baldrige Cybersecurity Excellence Builder Version 1.1 cover

Baldrige Cybersecurity Excellence Builder

The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance. 

Download your copy today!


 

About the author

Jacqueline Calhoun

I’m Jackie Calhoun from the Baldrige Marketing and Partnering Team. I joined the Program in 1993 and during my career here,  I have been fortunate enough to be on the Publications Management Team and Examiner Training and Workforce Development Team. I also I have served as Team leader on each of the teams. Prior to Baldrige, I worked as a physical scientist in the NIST Physics Laboratory, Center for Radiation Research.

Related posts

Comments

Great to have a Cybersecurity Builder. Although maybe not intended as its primary use, It will go a long way to provide a systematic approach for applicants to use to address cybersecurity requirements in the Criteria.

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.