Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Blogrige

The Official Baldrige Blog

Start Using the Baldrige Cybersecurity Tool: Here’s Help

Cybersecurity Team discussing action plans around a table.
Credit: Rawpixel.com/Shutterstock

The Information Security Team of the University of Kansas Medical Center (KUMC) began using the Baldrige Cybersecurity Excellence Builder (BCEB) last spring to assess their information security work.

A previous blog detailed six phases of their beginning use of the Baldrige cybersecurity resource, which can complement an organization’s use of the NIST Cybersecurity Framework.

To help other organizations understand the benefits and learn one way to get started using the BCEB, here are key points from a group interview of KUMC’s information security staff (plus cross-functional leaders supporting the BCEB work).

Baldrige Cybersecurity Excellence Builder Version 1.0 cover
How the BCEB Supports Our Cybersecurity Efforts

  • It has helped us explain to people outside information security (IS) what we do and, thus, to hone our communication skills, especially with the senior leaders of the organization (so they can be advocates for us).
  • It has enabled deliberate reflection on what is and isn’t working well, what are our gaps are, what we should be offering, and how that might diverge from where we are today.

Our Approach to Using the BCEB

  • First, we established an office for information security (IS), which required understanding both our current state and desired future state.
  • We delineated the specific tasks and roles for the Information Security Team, ranking them according to priority. This allows us to be informed in terms of where we spend time and resources.
  • We gained new insights on how cybersecurity is a whole-organization responsibility by filling out the Organizational Profile (the prefatory section of the BCEB).
  • To build out what was then a relatively new IS department, we began with the self-assessment questions in the last section of the resource, category 7 (following the guidance, “begin with the end in mind”), then worked through responses to questions in categories 1 through 6.
  • We also developed a conceptual crosswalk to the NIST Cybersecurity Framework (CSF), using those standards as a complementary resource for cybersecurity.
  • Using the BCEB, we assessed cybersecurity efforts internally and then benchmarked our performance against 17 other organizations, categorizing risks according to the CSF.
  • In regular meetings, we continue to talk about results and measure our cybersecurity performance against others.

How the BCEB Adds Value

  • It focuses on process using business language (rather than using technical IT language), orienting users to a customer-focused, process-driven perspective.
  • It incorporates the Baldrige Excellence Framework’s multidimensional process-evaluation factors of Approach, Deployment, Learning, and Integration (ADLI) to complement the more binary (or checklist) approach of the CSF.

What Benefits We’ve Seen from Using the BCEB

  • It’s useful as a good communication tool as we go forward because we can pull information from the body of work we’ve done with it.
  • It enables us to strategically choose where we are going to invest our time or resources.
  • It helps us see where we have gaps so that we can address them in a prioritized approach (e.g., via communication platforms with senior leaders). It would have been tougher to do this had we not been doing the self-assessment and associated analysis.
  • From a process perspective, the integration of the Baldrige Criteria categories in the BCEB has helped us apply some learning from BCEB discussions to our continuous-improvement efforts.
  • It has prompted us to have cross-functional staff members involved in the process, which is helpful in terms of helping non-technical people understand information security work.
  • It has been helpful in giving Steffani (Webb, the vice chancellor for administration) a deeper understanding of cybersecurity so that she can be a greater advocate for cyber-related issues and help other lay (non-IT) people in our organization understand what’s happening and important with cybersecurity. At the same time, this helps others get to know the IS Team better and increases confidence in this team.
  • It has helped us demonstrate support for information security work from our organization’s leadership.
  • It has helped us improve relationships with others and get the right solutions to end users in a broader organizational context.
  • It has helped the Information Security Team establish a better approach to intake, response, and follow-up through prioritization in communications and status updates to customers.

Sample Communication to Prepare Staff Members for Use of the BCEB

To prepare members of her organization’s Information Security Team for the launch of self-assessment work using the Baldrige Cybersecurity Excellence Builder (BCEB), Steffani Webb crafted her preliminary communications to them with care.

“I knew that they were all kind of nervous about this process (e.g., thinking that it was some kind of a test that they might not have all the answers for), so I chose to use the AIDET format [Announce, Introduction, Duration, Explanation, Thank you] to get us started,” said Webb, vice chancellor for administration at the University of Kansas Medical Center (KUMC).

Following are excerpts from the remarks she prepared for the May 2017 kickoff meeting with KUMC’s Information Security Team.

Announce: We will be using a new tool from the Baldrige Performance Excellence Program at NIST called the Cybersecurity Excellence Builder to complete a self-assessment to determine our cybersecurity maturity and then use this tool to help us develop an action plan to upgrade our cybersecurity practices and management. 

Provide the handouts:

I don’t think that it’s overly dramatic to say that we’re going to transform our Information Security Department through this process. And this will also be a key piece of KUMC’s overall improvement effort.

This is not a test! You have permission not to know the answers. 

Introduction(s):  Around the table—name, role/expertise, and what we each hope to get out of this.

Duration: This will take time. We will have a series of weekly 2-hour long meetings to work on this from now through the end of the year, and I’m very excited to get started on this.

Explanation: What we’ll be doing and why.

WHY:  IT infrastructure is critical in our organization. The Academic Health Center operating environment is complex and places many demands on IT and IT security (as you know).  The Legislative Post Audit (and some internal audits) highlighted the need for us to align polices, processes, and resources to support Information Security.  We have a really good team, we have been doing good work in a very challenging environment, and we have made a lot of progress. This process will be very helpful to our continued development.

  • Tom [Field, associate vice chancellor for organizational improvement] will facilitate our sessions.
  • We’ll start with just the Information Security team focusing on the Organizational Profile and Results/Category 7
  • When the time is right, we’ll expend the group to include key stakeholders, collaborators, and partners—as determined by this team.
  • We’ll capture the details that emerge from our discussions during each session and then work together to create a document that synthesizes all of this.
  • We have the opportunity help others while improving our own organization.

Any questions?

Thank you for the opportunity to work together with you on this important initiative. Thank you for participating in this, and thanks in advance for the time and effort that you’re going to devote to this.

Blogrige Readers: If you’d like to learn about the BCEB using a hands-on approach, register to attend the Baldrige Cybersecurity Excellence Builder Workshop on April 8 in Baltimore, MD.
 


Improve Your Organization’s Cybersecurity Risk Management Efforts

Baldrige Cybersecurity Excellence Builder Version 1.0 cover

 

Baldrige Cybersecurity Excellence Builder

The Baldrige Cybersecurity Excellence Builder, Version 1.0 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance. 

Download your copy today!


 

About the author

Christine Schaefer

Christine Schaefer is a longtime staff member of the Baldrige Performance Excellence Program and current leader of the Education Team—a group of four who produce publications and communications and...

Related posts

Why “Why” Is the Fundamental Question

I recently listened to a Ted talk by Simon Sinek, author of Start with Why: How Great Leaders Inspire Everyone to Take Action, and it caused me to reflect on

Comments

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.