While more information can be found online, here is my short answer:
The NIST Cybersecurity Framework assembles and organizes standards, guidelines, and practices that are working effectively in many organizations. It also includes informative references that are common across critical infrastructure sectors. You are encouraged to customize these based on business drivers to maximize their value to your organization. The BCEB helps with this customization by asking about your organizational characteristics and environment. The BCEB also helps you understand how effective and efficient your cybersecurity approaches are, as well as how good your cybersecurity-related results are.
Notably, the BCEB helps an organization determine whether it is obtaining effective and efficient results from cybersecurity initiatives, including those enacted based on the Cybersecurity Framework outcomes.
As evidenced by cyber events in the news, the importance of an assessment tool to help organizations better understand the effectiveness and efficiency of their cybersecurity risk management efforts and identity improvement opportunities cannot be overemphasized.
The Biggest Cyber Targets
For example, in “Health Care’s Huge Cybersecurity Problem” (April 2019), Nicole Wetsman explains that ransomware and other cyberattacks are on the rise, with health care industries being some of the biggest targets. She writes,
The health care industry increasingly relies on technology that’s connected to the internet: from patient records and lab results to radiology equipment and hospital elevators. That’s good for patient care, because it facilitates data integration, patient engagement, and clinical support. On the other hand, those technologies are often vulnerable to cyberattacks, which can siphon off patient data, hijack drug infusion devices to mine cryptocurrency, or shut down an entire hospital until a ransom is paid.
Sutter Health, the parent of Baldrige Award recipient Sutter Davis Hospital, found its systems shut down in June 2017 in a cyberattack called NotPetya, which was called in Wired magazine “the most devastating cyberattack in history.” According to a story by Andy Greenberg, part of the attack was to send fake ransom messages to computers, and while users discussed paying the ransom, malware irreversibly encrypted their computers.
Sutter Health, which serves over 3 million patients, was able to respond quickly to the cyberattack and move operations off its system. “It could have easily created a patient safety issue—if you have transplant patients, or patients who are having surgery, you need all those medical notes,” said Chief Privacy and Information Security Officer Jacki Monson in the article. She added that Sutter Health was hit with around 87 billion cyberthreats in 2018.
One issue for health care organizations, writes Wetsman, is that adding additional security to systems could slow down clinicians, who may find it frustrating to juggle extra passwords and move through extra digital protections in order to access a patient’s records.
Her advice: “Framing cyberattacks as safety issues helps experts get physicians and clinicians on board with good cybersecurity practices, when they might otherwise think of it as just an administrative concern. . . . Telling more stories about the impact on the safety of patients resonates with physicians.”
Failing to Address Cyber Threats
The issue, of course, doesn’t just impact health care. In a June 2019 ComputerWeekly.com article “Business Leaders Failing to Address Cyber Threats,” author Warwick Ashford provides data from a report called “Trouble at the Top: The Boardroom Battle for Cyber Supremacy.” The data show that more than 76% of C-level executives believe a cybersecurity breach is inevitable. Despite this, 90% of more than 400 executives believed their companies were missing resources to help defend against a cyberattack, with some confusion about who is responsible for addressing such an attack. Human factors are cited as potentially problematic, “with senior management reluctant to accept advice (46%), a lack of budget (44%), and a lack of people resources (41%), which are all considered to be major components of an effective cyber security strategy,” writes Ashford.
And very recently on the radio, I learned more about two cities currently under a cyberattack (June 2019), which locked the local governments out of their computer servers for ransoms. The Baltimore, MD, attack has so far cost the city more than $18 million. The other recent attack was in Greenville, NC.
How Do You Know if Your Organization is Managing Cybersecurity Risk?
Applying the BCEB helps organizations to determine context, priorities, and goals across a broad range of categories, including organizational leadership, strategy, customer focus, workforce, and operations. The Cybersecurity Framework’s outcomes (and related informative references) provide input into the BCEB to help consider what the entity might want to do to understand and achieve requirements and expectations, including actions needed from the organization’s supply network and other partners. BCEB drives considerations for “measurement, analysis, and knowledge management,” important aspects in achieving that effectiveness and efficiency.
A key part of using the BCEB and Cybersecurity Framework together is the BCEB’s model for determining results; an entity may apply a broad range of cyber activities, but what truly matters are the results. Applying BCEB’s methodology to measure and improve cyber results can help prepare for, respond to, and hopefully avoid situations like those described in this blog.
So, looping back to the topic of this blog, how do you know if your organization is managing cybersecurity risk effectively and efficiently? Use the NIST Cybersecurity Framework with the Baldrige Cybersecurity Excellence Builder (free downloads) together. As for why this is important, I only shared a few articles about cyberattacks on health care and business organizations, as well as cities; unfortunately, there are many, many more stories like these.
Improve Your Organization’s Cybersecurity Risk Management Efforts
Baldrige Cybersecurity Excellence Builder
The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance.