U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Blogrige

The Official Baldrige Blog

Start Using the Baldrige Cybersecurity Tool: Here’s Help

By: Christine Schaefer

Share

Cybersecurity Team discussing action plans around a table.
Credit: Rawpixel.com/Shutterstock

The Information Security Team of the University of Kansas Medical Center (KUMC) began using the Baldrige Cybersecurity Excellence Builder (BCEB) last spring to assess their information security work.

A previous blog detailed six phases of their beginning use of the Baldrige cybersecurity resource, which can complement an organization’s use of the NIST Cybersecurity Framework.

To help other organizations understand the benefits and learn one way to get started using the BCEB, here are key points from a group interview of KUMC’s information security staff (plus cross-functional leaders supporting the BCEB work).

Baldrige Cybersecurity Excellence Builder Version 1.1 cover

How the BCEB Supports Our Cybersecurity Efforts

  • It has helped us explain to people outside information security (IS) what we do and, thus, to hone our communication skills, especially with the senior leaders of the organization (so they can be advocates for us).
  • It has enabled deliberate reflection on what is and isn’t working well, what are our gaps are, what we should be offering, and how that might diverge from where we are today.

Our Approach to Using the BCEB

  • First, we established an office for information security (IS), which required understanding both our current state and desired future state.
  • We delineated the specific tasks and roles for the Information Security Team, ranking them according to priority. This allows us to be informed in terms of where we spend time and resources.
  • We gained new insights on how cybersecurity is a whole-organization responsibility by filling out the Organizational Profile (the prefatory section of the BCEB).
  • To build out what was then a relatively new IS department, we began with the self-assessment questions in the last section of the resource, category 7 (following the guidance, “begin with the end in mind”), then worked through responses to questions in categories 1 through 6.
  • We also developed a conceptual crosswalk to the NIST Cybersecurity Framework (CSF), using those standards as a complementary resource for cybersecurity.
  • Using the BCEB, we assessed cybersecurity efforts internally and then benchmarked our performance against 17 other organizations, categorizing risks according to the CSF.
  • In regular meetings, we continue to talk about results and measure our cybersecurity performance against others.

How the BCEB Adds Value

  • It focuses on process using business language (rather than using technical IT language), orienting users to a customer-focused, process-driven perspective.
  • It incorporates the Baldrige Excellence Framework’s multidimensional process-evaluation factors of Approach, Deployment, Learning, and Integration (ADLI) to complement the more binary (or checklist) approach of the CSF.

What Benefits We’ve Seen from Using the BCEB

  • It’s useful as a good communication tool as we go forward because we can pull information from the body of work we’ve done with it.
  • It enables us to strategically choose where we are going to invest our time or resources.
  • It helps us see where we have gaps so that we can address them in a prioritized approach (e.g., via communication platforms with senior leaders). It would have been tougher to do this had we not been doing the self-assessment and associated analysis.
  • From a process perspective, the integration of the Baldrige Criteria categories in the BCEB has helped us apply some learning from BCEB discussions to our continuous-improvement efforts.
  • It has prompted us to have cross-functional staff members involved in the process, which is helpful in terms of helping non-technical people understand information security work.
  • It has been helpful in giving Steffani (Webb, the vice chancellor for administration) a deeper understanding of cybersecurity so that she can be a greater advocate for cyber-related issues and help other lay (non-IT) people in our organization understand what’s happening and important with cybersecurity. At the same time, this helps others get to know the IS Team better and increases confidence in this team.
  • It has helped us demonstrate support for information security work from our organization’s leadership.
  • It has helped us improve relationships with others and get the right solutions to end users in a broader organizational context.
  • It has helped the Information Security Team establish a better approach to intake, response, and follow-up through prioritization in communications and status updates to customers.

Sample Communication to Prepare Staff Members for Use of the BCEB

To prepare members of her organization’s Information Security Team for the launch of self-assessment work using the Baldrige Cybersecurity Excellence Builder (BCEB), Steffani Webb crafted her preliminary communications to them with care.

“I knew that they were all kind of nervous about this process (e.g., thinking that it was some kind of a test that they might not have all the answers for), so I chose to use the AIDET format [Announce, Introduction, Duration, Explanation, Thank you] to get us started,” said Webb, vice chancellor for administration at the University of Kansas Medical Center (KUMC).

Following are excerpts from the remarks she prepared for the May 2017 kickoff meeting with KUMC’s Information Security Team.

Announce: We will be using a new tool from the Baldrige Performance Excellence Program at NIST called the Cybersecurity Excellence Builder to complete a self-assessment to determine our cybersecurity maturity and then use this tool to help us develop an action plan to upgrade our cybersecurity practices and management. 

Provide the handouts:

I don’t think that it’s overly dramatic to say that we’re going to transform our Information Security Department through this process. And this will also be a key piece of KUMC’s overall improvement effort.

This is not a test! You have permission not to know the answers. 

Introduction(s):  Around the table—name, role/expertise, and what we each hope to get out of this.

Duration: This will take time. We will have a series of weekly 2-hour long meetings to work on this from now through the end of the year, and I’m very excited to get started on this.

Explanation: What we’ll be doing and why.

WHY:  IT infrastructure is critical in our organization. The Academic Health Center operating environment is complex and places many demands on IT and IT security (as you know).  The Legislative Post Audit (and some internal audits) highlighted the need for us to align polices, processes, and resources to support Information Security.  We have a really good team, we have been doing good work in a very challenging environment, and we have made a lot of progress. This process will be very helpful to our continued development.

  • Tom [Field, associate vice chancellor for organizational improvement] will facilitate our sessions.
  • We’ll start with just the Information Security team focusing on the Organizational Profile and Results/Category 7
  • When the time is right, we’ll expend the group to include key stakeholders, collaborators, and partners—as determined by this team.
  • We’ll capture the details that emerge from our discussions during each session and then work together to create a document that synthesizes all of this.
  • We have the opportunity help others while improving our own organization.

Any questions?

Thank you for the opportunity to work together with you on this important initiative. Thank you for participating in this, and thanks in advance for the time and effort that you’re going to devote to this.
 

Improve Your Organization’s Cybersecurity Risk Management Efforts

Baldrige Cybersecurity Excellence Builder Version 1.1 cover

The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance. 

Download your copy today!

 

Baldrige Excellence Framework (Criteria), Cybersecurity, Impact of Baldrige and Self-Assessing

About the author

Picture of Christine Schaefer

Christine Schaefer

Christine Schaefer is a longtime staff member of the Baldrige Performance Excellence Program (BPEP). Her work has focused on producing BPEP publications and communications. She also has been highly involved in the Baldrige Award process, Baldrige examiner training, and other offerings of the program.

She is a Phi Beta Kappa graduate of the University of Virginia, where she was an Echols Scholar and a double major, receiving highest distinction for her thesis in the interdisciplinary Political & Social Thought Program. She also has a master's degree from Georgetown University, where her studies and thesis focused on social and public policy issues. 

When not working, she sits in traffic in one of the most congested regions of the country, receives consolation from her rescued beagles, writes poetry, practices hot yoga, and tries to cultivate a foundation for three kids to direct their own lifelong learning (and to PLEASE STOP YELLING at each other—after all, we'll never end wars if we can't even make peace at home!).

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.