Leaders today must learn how to proactively increase the chances of protecting their organizations and customers from the ever-increasing threat of cyberattacks. That’s because an organization’s leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. As Microsoft founder Bill Gates stated, “Security is, I would say, our top priority because for all of the exciting things you…do with computers, organizing our lives, staying in touch with people, being creative—if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed. People won’t use their credit cards quite as much and buy things, and so it’s really the thing we got to get right so that people don’t think about it.”
According to a recent Harvard Law School Forum on Corporate Governance and Financial Regulation article, “Many companies now have in place technology designed to identify anomalies and threats. They also likely have written policies and procedures intended to provide a roadmap in the event that a cybersecurity incident occurs. All these tools and written procedures may well be ‘state of the art’ in that they may reflect and embody what is understood to be general best practices. But as with any system or written policies, they alone may be insufficient to address the risks.”
So how do leaders know if they are doing enough to address cybersecurity risks? One way to find out is to assess the organization’s cybersecurity performance using the Baldrige Cybersecurity Excellence Builder (BCEB).
The BCEB is a voluntary self-assessment tool that enables an organization to better understand the effectiveness of its cybersecurity risk-management efforts. It helps the organization identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization’s operational and strategic objectives, as well as the needs and expectations of key stakeholders.
The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF) the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.
The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.
The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:
1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?
1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?
Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.”
If your organization is not ready to complete the full self-assessment after completing the Organizational Context, consider doing a self-assessment using just one category or item in which you need improvement. Answer the individual questions in the selected category; then, when ready, conduct a full self-assessment to reveal key linkages between your chosen category and the other items. This will enable you to gain a systems perspective as embodied in the seven integrated categories.
Of course, leaders have numerous other options to select from to achieve the objective of improving their organization’s cybersecurity management system. But by taking a Baldrige-based approach to self-assessment, the organization—no matter its sector or size—will be on the way to improvement and cybersecurity excellence.
View the webcast for a brief overview on integrating the BCEB with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Start learning about the BCEB as you begin to plan for a self-assessment of your cybersecurity risk management system.
The Baldrige Performance Excellence Program invites you to baldrige [at] nist.gov (submit your BCEB lessons learned and comments).
Leaders in any sector may also find it beneficial to apply to participate as part of a year-long cohort of the Baldrige Executive Fellows Program to learn how national role-model organizations are using the Baldrige Excellence Framework to maintain high performance.
The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance.
Great to have a Cybersecurity Builder. Although maybe not intended as its primary use, It will go a long way to provide a systematic approach for applicants to use to address cybersecurity requirements in the Criteria.