To help other organizations understand the benefits and learn one way to get started using the BCEB, here are key points from a group interview of KUMC’s information security staff (plus cross-functional leaders supporting the BCEB work).
It has helped us explain to people outside information security (IS) what we do and, thus, to hone our communication skills, especially with the senior leaders of the organization (so they can be advocates for us).
It has enabled deliberate reflection on what is and isn’t working well, what are our gaps are, what we should be offering, and how that might diverge from where we are today.
Our Approach to Using the BCEB
First, we established an office for information security (IS), which required understanding both our current state and desired future state.
We delineated the specific tasks and roles for the Information Security Team, ranking them according to priority. This allows us to be informed in terms of where we spend time and resources.
We gained new insights on how cybersecurity is a whole-organization responsibility by filling out the Organizational Profile (the prefatory section of the BCEB).
To build out what was then a relatively new IS department, we began with the self-assessment questions in the last section of the resource, category 7 (following the guidance, “begin with the end in mind”), then worked through responses to questions in categories 1 through 6.
We also developed a conceptual crosswalk to the NIST Cybersecurity Framework (CSF), using those standards as a complementary resource for cybersecurity.
Using the BCEB, we assessed cybersecurity efforts internally and then benchmarked our performance against 17 other organizations, categorizing risks according to the CSF.
In regular meetings, we continue to talk about results and measure our cybersecurity performance against others.
How the BCEB Adds Value
It focuses on process using business language (rather than using technical IT language), orienting users to a customer-focused, process-driven perspective.
It incorporates the Baldrige Excellence Framework’s multidimensional process-evaluation factors of Approach, Deployment, Learning, and Integration (ADLI) to complement the more binary (or checklist) approach of the CSF.
What Benefits We’ve Seen from Using the BCEB
It’s useful as a good communication tool as we go forward because we can pull information from the body of work we’ve done with it.
It enables us to strategically choose where we are going to invest our time or resources.
It helps us see where we have gaps so that we can address them in a prioritized approach (e.g., via communication platforms with senior leaders). It would have been tougher to do this had we not been doing the self-assessment and associated analysis.
From a process perspective, the integration of the Baldrige Criteria categories in the BCEB has helped us apply some learning from BCEB discussions to our continuous-improvement efforts.
It has prompted us to have cross-functional staff members involved in the process, which is helpful in terms of helping non-technical people understand information security work.
It has been helpful in giving Steffani (Webb, the vice chancellor for administration) a deeper understanding of cybersecurity so that she can be a greater advocate for cyber-related issues and help other lay (non-IT) people in our organization understand what’s happening and important with cybersecurity. At the same time, this helps others get to know the IS Team better and increases confidence in this team.
It has helped us demonstrate support for information security work from our organization’s leadership.
It has helped us improve relationships with others and get the right solutions to end users in a broader organizational context.
It has helped the Information Security Team establish a better approach to intake, response, and follow-up through prioritization in communications and status updates to customers.
Sample Communication to Prepare Staff Members for Use of the BCEB
To prepare members of her organization’s Information Security Team for the launch of self-assessment work using the Baldrige Cybersecurity Excellence Builder (BCEB), Steffani Webb crafted her preliminary communications to them with care.
“I knew that they were all kind of nervous about this process (e.g., thinking that it was some kind of a test that they might not have all the answers for), so I chose to use the AIDET format [Announce, Introduction, Duration, Explanation, Thank you] to get us started,” said Webb, vice chancellor for administration at the University of Kansas Medical Center (KUMC).
Following are excerpts from the remarks she prepared for the May 2017 kickoff meeting with KUMC’s Information Security Team.
Announce: We will be using a new tool from the Baldrige Performance Excellence Program at NIST called the Cybersecurity Excellence Builder to complete a self-assessment to determine our cybersecurity maturity and then use this tool to help us develop an action plan to upgrade our cybersecurity practices and management.
I don’t think that it’s overly dramatic to say that we’re going to transform our Information Security Department through this process. And this will also be a key piece of KUMC’s overall improvement effort.
This is not a test! You have permission not to know the answers.
Introduction(s): Around the table—name, role/expertise, and what we each hope to get out of this.
Duration:This will take time. We will have a series of weekly 2-hour long meetings to work on this from now through the end of the year, and I’m very excited to get started on this.
Explanation: What we’ll be doing and why.
WHY: IT infrastructure is critical in our organization. The Academic Health Center operating environment is complex and places many demands on IT and IT security (as you know). The Legislative Post Audit (and some internal audits) highlighted the need for us to align polices, processes, and resources to support Information Security. We have a really good team, we have been doing good work in a very challenging environment, and we have made a lot of progress. This process will be very helpful to our continued development.
Tom [Field, associate vice chancellor for organizational improvement] will facilitate our sessions.
We’ll start with just the Information Security team focusing on the Organizational Profile and Results/Category 7
When the time is right, we’ll expend the group to include key stakeholders, collaborators, and partners—as determined by this team.
We’ll capture the details that emerge from our discussions during each session and then work together to create a document that synthesizes all of this.
We have the opportunity help others while improving our own organization.
Thank you for the opportunity to work together with you on this important initiative. Thank you for participating in this, and thanks in advance for the time and effort that you’re going to devote to this.
Improve Your Organization’s Cybersecurity Risk Management Efforts
The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance.