Measuring Cybersecurity Maturity with the NIST CSF - Josh Sokol

good afternoon besides vancouver how are you all doing today uh my name is josh sokol i'm here to talk to you guys about measuring cyber security maturity with the nist cyber security framework i wish i could be there in person i got the opportunity to be there a couple years back for the conference and it was amazing i'm missing all of your beautiful faces the beautiful mountains and i do sincerely hope to be able to get back there someday as i mentioned i'm josh i'm a cissp i've got uh over 10 years of experience running the security team at national instruments big 1.6 billion dollar year organization but i founded an organization called simplers back in march of 2013

because i realized that spreadsheet based risk management just flat out sucks and the grc tools that are out there to help you management are too expensive for most of us i'm a former robots board member and my specialties are around organizational governance risk management compliance secure application development life cycle bringing my owaspness back into there uh and origami folded dollar bills uh it started as something that i did for my very firstborn daughter uh when the tooth fairy came and it just continued with the other three and now i've gotten really really good at it uh things that we'll cover today first off was organizational cybersecurity maturity we'll talk about creating an effective roadmap how to assess both your current

and desired levels of maturity how to define risks and then ultimately how do we prioritize what we've come across there a little bit of background so i originally gave this talk with a co-co-worker named alex polamini uh alex ran the i.t compliance team at national instruments at the same time that i was running the information security program and one of the things that we found kind of interesting is that there is this uh relationship between information security and compliance on the security side you're defining the technical controls for the organization and then you're responsible for enforcement of those controls on the compliance side they're helping to find the policies the guidelines the standards and the

procedures and then they validate compliance within the defined requirements so there's kind of this yin and yang relationship between the two organizations we were asked by our management to assess our organization's cyber security maturity and to create a roadmap for national instruments and our information security program and we started off using gartner which was pretty cool but the advice that came out of the gartner assessment was very high level advice it was far from a road map something that we could actually take to our management team and say we need to do things a b and c in order to get to this level of maturity so what exactly is organizational cybersecurity maturity organizational cybersecurity maturity

speaks to how effective the people the processes and technology are at making our cybersecurity risks so as an example you might have an image for control an immature control would be a people a process of technology that management can and should place very little confidence in regarding their overall cyber security risk mitigation plan so an example of an immature control would be an endpoint where you only have very basic password protection and that's it but a more mature control would be a people process technology that management should place more confidence in regarding their overall cybersecurity risk mitigation plan and so take that same end point where we had the imagery control but now add in full disk

encryption if you have complex password requirements multi-factor authentication and so on so you can see how ub u.s management would be more willing to place confidence in that second control set versus the first so now let's talk about roadmap how do we create a roadmap for our cybersecurity maturity and it starts off just like any roadmap if you were going to go on a trip you would start with where you are right now probably your house and then you would end up with where you want to get to maybe it's a park somewhere maybe it's a building you need to go to uh and then everything in between is your roadmap roadmap is literally telling you how do

i get from point a to point b and that's what we want to define for our cyber security maturity so really what we want to do is we want to start by assessing where we are today and in order to do this we need to identify a control framework that embodies whatever it is that we're looking to assess so are we trying to protect our customers privacy data are we securing credit cards are we creating a super duper top secret system each one of these is going to have different requirements and we want to make sure that whatever we're doing we're using a framework that embodies those requirements so when we were looking at this

at national instruments we considered a whole bunch of different frameworks some of those include things like nist 800-53 800-171 the miss cyber security framework uh iso 27001 is big because it's an international standard and high trust but after going through these we kind of realized 853 that's more for the federal organizations 800 171 is for organizations that do business with the federal government uh but certainly uh something that we could consider uh iso 27001 was a good place for us to look at but it is proprietary as well as high trust which is also proprietary and so we ultimately settled on the nist cybersecurity framework uh this cyber security framework was we settled on that because it was free

uh it was a really good best practices approach and when you looked at it it was relatively complete at least within the area of cyber security uh there's uh certainly other areas like privacy where it lacks but with respect to cyber security it's actually a pretty decent document uh nist splits it down into five different functions so you have identify protect detect respond and recover and each of those functions has several categories there's actually 23 categories in total and each of these categories is split into further subcategories so you can see here are categories of asset management business environment governance and so on but those get split off into subcategories so if we look at asset

management it looks something like this we have ida m1 2 3 4 5 and 6. and the sub categories you can call them subcategories or you can even refer to them as controls each of these are things that you need to do in your environment in order to ensure the environment is operating effectively that there are controls in place to ensure the security of our data of our systems and so on so now how do we assess our current maturity uh or at least how did we assess our current maturity and it starts off by assessing whatever criteria you are to assess yourself establishing those criteria and when we were looking at this we we

defined our criteria by reviewing the cybersecurity framework by looking at covet and eventually we kind of landed on these values um that said these are very similar to what you would find within the nist capability maturity model cmmc uh that was actually released after we did this exercise if i had to do it again today i probably standardized more around those the language within the cmmc um so basically what we do is we break this off into uh six chunks we have level zero which says hey we haven't implemented this at all or it's not applicable in our environment uh we have perform process which says individuals do it but it's defined mainly on tribal

knowledge and answers will vary between teammates you have the manage process where an owner has been identified some documentation exists but there's really no formal documentation in our organization then you have an established process where an owner is identified and they're being held accountable for the area uh you have formalized policies and procedures that already exist then you move up to predictable and predictable says uh not only is your process established so we've done everything up to level three but it's either audited by management or third parties with consistent results so we're able to display over and over again year after year or quarter after quarter or whatever our period looks like that we are following

our processes and then level five is optimized and this is kind of the the peak of of your criteria this is automated processes you have a close feedback loop where if something goes wrong you're able to feed that back in improve the process and so on uh we know that works there's very little to improve upon in this situation now it's really important to note here that most organizations will never have uh all of these or even most of their controls at a level four or five in fact if you look at cnnc for most organizations what they're looking at is for you to become a level three so you have those established processes people held accountable forming policies

and procedures and so on um and so if i give you any advice on that that's probably where i would start is looking at that as your baseline of where you want to get to i we have to look at this in the scope of each of our controls so if we look at our cyber security framework uh id am is asset management under the identify category uh and so we need to figure out what exactly we're gonna do here so we take each of those sub categories ida m1 2 3 and so on and we define what our current capability is we use that same assessment methodology that i talked about before and we've determined that for ida m1

we're optimizing two is predictable three is established four is managed five is performed and then six is not implemented now these are just examples right so we're trying to give you some examples of how this would look if you were to perform yourself um but this is what we created here now i have some advice for you when you're going through this process first off be honest with yourself while your understanding of the environment is kind of a gut check at times you should be able to provide reasonable examples to support your grade or to refute uh to others stay consistent make sure that when you look at something you're looking at within the broader

context of your organization and then error on the side of caution being too optimistic can cause trouble from a compliance perspective a second bit of advice for you guys consider your environment as a whole so don't look at your environment as just individual users or individual teams when you're looking at these controls you have to look at your entire organization and how does your organization adhere to this so you may have certain teams are doing really really well but they're the exception they're not the rule look at the kind of overall organization how are you doing it how standard are the processes is every team following those processes and if you went to two different

managers would you get the expected response or would they differ that's how we know where we're sitting now the third bit of advice that i have for you is be prepared to defend your responses when i say defend i don't mean like a fist fight or something like that what i mean is that at some point management is going to ask you well how did you arrive at this grade for this particular control and you need to be able to justify that so keep notes keeping notes will help you to judge uh your future state it'll help keep your thoughts uh consistent throughout the process so you can understand why you made that decision the last time you made that

decision and understand that inaccuracies will lead reviewers and even our management to question the entire gap assessment so if you mess up one of these controls and you don't have proper documentation you're not able to justify why you did what you did then chances are management will come back and go well i don't know if we can trust these results at all in terms of assessing our desired maturity we need to understand a few things first we have to understand our current risks what are the risks that sit in our current in our environment currently second you have to look at your regulatory compliance so the regulatory requirements are going to shape at a minimum our minimum requirements so

how do we comply with all of our mandatory regulations and the most efficient means possible and then lastly we need to understand management's risk appetite risk appetite is going to play a major role a major part of this and it will require you to calibrate with management so this isn't just a what does josh think or what what do josh and alex think eventually management's gonna be brought into this and you're gonna have to share what your results were you have to tell them why you made these justifications why you said that this got this grade and this one got this one and your overall goal here is to set your desired state to the

value that gives management comfort over the risk and as i said that might not be an optimized process that might not be that level five it might be a level three or in some cases it might be a hey we don't even care about that control so it's not applicable now this is going to be especially hard for folks who are routinely audited but don't let perfection become the enemy of good so don't you you're not trying to get perfect you're not trying to have fives across the board you're just trying to have a good state where your controls are operating effectively where your maturity is what management expects so that they have comfort over

the process and a little fourth bit of advice here for you be reasonable not all risks require optimized solutions as i said um so don't let perfection become the enemy of good now uh when it comes to our desired state uh we would like to do the same thing we want to use the same criteria so that we can pair them against each other so again we have these levels zero through five from going from not implemented now applicable up to optimize process and as a reminder here very few organizations are ever going to get to that level 5. having all controls at level 3 or higher is probably a good target for us so in terms of our desired maturity we

look at our current capability and now we're looking at our desired and you can see here i've said that ida m1 is optimized idm2 is predictable 3 is established but 4 is where we differ so our controls are at our desired level of maturity for one two three for four we realize that our current capability is managed but we want to be established for five we realize that's performed but we want to be established and for six we want this to be predictable but we're not even doing it at all so we we're now looking at our current level of capability versus that desired capability now once we have this our next step is to

add notes and to assign ownership so we want to be able to say here's the the reasons why we made this decisions here's why i said that this is an optimizing process uh here's why our desired capability is x and so on and then owners who is going to own this control because ultimately uh me and alex we're just two people and we don't have control over every single one of these controls in fact we don't have control over most of these controls if i look at this list here i've labeled it systems management for three of them architecture for one network administration for one uh information security only owns one of these controls so we need to make sure that we are

relaying this information to the right people now when we are looking at these controls and everywhere we see a current capability does not match a desired capability this is where we start to see risk and so we need to figure out how do we define risk where there's a gap there's a risk so as i mentioned earlier we have one two and three where our current capability matches our desired capability which is awesome we're good on those but the other ones they're not matching and so we needed to find risk for each of these so here's an example i took ida m5 we said our current capabilities perform meaning individuals do it but it's defined mainly on tribal knowledge

answers will vary between teammates then we have our desired capability our desired capability is established being an owner is identified held accountable for the area we have formalized policies and procedures so if we look at the difference between these two that gap that's our risk and our risk in this case is that we don't have defined processes or ownership for the prioritization of resources based on classification criticality and business so we've basically summarized up the subcategory and we've talked about the gap between our current capability and our desired capability now we can use a grc tool to capture controls risks and so on and this isn't an advertisement for simple risk or really any other control

for that matter but it certainly makes things easier when we are going through this process so the first step is to define our controls we have our controls we got that list from the csf and for each of these controls we can look at in terms of what's the the short name the long name our control number we can look at that concurrent control maturity and our desired control maturity uh we can define priorities in phases and families uh and then we can even map a control against multiple different frameworks now the screenshots that i'm showing here these come out simporous again some course is free it's open source uh so you can download it and use

it and you'll have access to this capability but there's plenty of other tools out there and if you really want to do this in excel spreadsheets or whatever you can certainly do that as well once we've defined our control next we have to capture risk and the way that we capture risk is entering that risk into the system so we give it a subject uh in this case we said that there's no defined process or ownership for the prioritization of resources based on the classification criticality and business so we've basically taken that risk that we captured we've entered into our system from here we need to determine the score of our risk and so the score

of risk is going to be based on a few different factors first you're going to look at the degree of the difference between current and desired state if our current state is we're not doing it at all and our desired state is we want this to be an optimized process we've got a pretty big gap there and so our risk is probably going to be much much higher next we look at the potential operational and financial impact given in complete value of the process and so if you look at the image on the left that's going to show you the impact selections that we have in this imports by default and you can change those

but in this case we go from minimal all the way up to severe so for this particular one we just say it's moderate and then lastly we look at the likelihood of a complete failure of the process and so in this case i said it's almost certain so this is how we're determining the risk now once we do that there's all sorts of other values that we can populate as well so you can define your categories your locations your technologies your teams you can set your resource and the scoring method you can give an assessment you can add tags and things like that and ultimately when you hit submit the end result is that you're going to have

a risk score and your risk score is going to be automatically calculated so in this case i calculate a score of a six so that's a six of a zero through 10 scale meaning that's going to be a medium level risk for our organization once we have that risk though now we get to decide what we're going to do with this so we've cataloged the risk we understand what the risk is now we have to plan the mitigations for the risk and this is really about in this example it's about documenting our desired maturity and what we need to do to get to that point so in this case uh i said hey my migration planning date

is for december 31st meaning i want to get this done by the end of the year my strategy is to mitigate this i said my effort is considerable we've got the team that's responsible for that i've defined my current solution as currently being performed by individuals on ad hoc basis and i said my requirement is that we need to document the process for prioritization of resources based on classification criticality and business now there's one other thing that i want to do here as well which is i want to map this to the controls i want to be able to say that this particular risk belongs to this control and basically create that relationship between the control

uh that i'm looking at in this case this cybersecurity framework id am uh five and the risk that i'm creating here so we can go back at any point in time and say all right where all the risks are associated with asset management as an example now once we get to this point our next step is to define our room map to prioritize what we want to do first and so to do this there's a few different tactics that we can use a few different ways that we can look at the data that we're gained back the first is to assess our maturity gaps and so we can take a look at all of our

different uh levels of maturity that we've created here our current level of maturity and desired level maturity and we can map this aspire chart is a great way to look at this it breaks it out by each of those different families so you can look and go wow i'm doing really really well right now with asset management but man i really suck at secure engineering and architecture and now you're able to give management uh pictures and they say a picture is worth a thousand dollars you're able to give them pictures that kind of depict your level of maturity and when you start talking about your roadmap you're able to look at this and go well here's why i think we need to

invest more in secure engineering and architecture from there we can also look at our gaps and our gaps are going to show us where the things that are below maturity at maturity or above maturity in this case below maturity these are the things that i need to work on so we have idm four five and six in this case then bubbled up and we've said hey we're not at our current level of maturity these are the things we need to target in terms of closing these maturity gaps now with respect to risk there's a few different ways that we can look at this as well the first is that we can look at burning fires these are the high priority items

in our environment so think of things that are most likely risks that are scored by the highest level of impact and the highest level of likelihood these are things that could cause serious business interruption or even financial loss to the company if they were to be realized and in simpforus we have something we call the high risk report uh which helps us to identify these it basically just calls out all of those high and very high level of risk so that we can review those and make plans to do that those are the burning fires the next thing is a quick win quick win is the low-hanging fruit these are things that can be accomplished

without much assistance from other teams and they require little to no financial or personnel investment in simplest we have something called the risk advice report risk advice is going to look at the level of effort to mitigate that risk and that's the value that you define versus the risk level and so in this case we can look at the first one we can see that was a trivial it's a 3.6 so that's going to be the top of our list then the next one is a 3.6 and the next one then we get down to 2.4 and so if you take this approach these are all going to be quick wins these are going to be things that are relatively

easy they may not necessarily get rid of the highest level risk in your environment but they're going to be things that you can enact in a very short amount of time with a very little number of resources number four is long-term work so these are thematic issues and as an example your company may lack some formal documentation so maybe we want to go and create a policy uh revamp project and that's going to create documentation for all of the different things that we need so we can address all of those issues with that single project and sim first we can create a project we can link multiple risks together uh within that project and so then you

can see um hey here's the project that we're gonna use in order to address those risks then number five we have management goals and objectives and this is important because these are usually the things that the management cares about the most so ask yourself does your company or your department currently have any ongoing goals or initiatives that these projects can support i'll give you a couple examples here um at one point we had a situation or a desire uh to reduce office space in certain areas of the world and so if your organization is actively trying to reduce office space then maybe there's some issues there maybe we need to prioritize something like a remote access policy

and that might be a very quick win that your security team can get that supports leadership's initiatives directly another example might be if your company is trying to make a push towards increasing automation uh providing guidance regarding processes uh needed i so you can use that to integrate optimized controls and drive automation into the process and that can help build out a pipeline while accomplishing security and compliance and so you know this kind of approach really helps when it comes to [Music] tackling these things because you're working on the things that management cares about most now a quick note on ownership with respect to ownership there's kind of these three pieces management is going to own the control

environment they're going to own the remediation they're responsible for defying the course of action and directing any projects and this sometimes runs counter to what we think as security practitioners a lot of times as security practitioners we feel like we're atlas with the way of the world on our shoulders and the because all these issues uh if any of them come true we feel like we're the ones who are going to get fired if that particular things come comes to fruition and the reality is as security practitioners our job is to assess risk and convey risk we're supposed to find the issues and make sure that management is aware of the issues but management is ultimately the one

with the budget and the personnel resources to make the decisions and so we need to make sure that we put the proper controls in place and then management owns the control environment and those remediations secondly management consults with security and compliance uh we're servers of excellence we provide that consultative service but we don't engineer we don't implement the changes again our job is to assess and convey and then lastly security and compliance validate that management has effectively mitigated the identified risks and communicates kind of the overall status to i.t leadership so that's the pieces that we want to keep in mind as we go through this process management owns the controls the frameworks the the mitigations

the remediation and the consult with security compliance in terms of what are the things that we should be doing and then security and compliance validate all right now we're getting towards the end here so i just wanted to kind of summarize uh what we've talked about at this point first of all this technique can be used for assessing the maturity of just about anything as long as you have a standard to base it off of so you know we use this example in this cyber security framework but if you're trying to do a privacy assessment use the nist privacy framework or use gdpr right so you can leverage different types of frameworks for different types of assessments

secondly in our case leveraging the nist cyber security framework was great for assessing our overall information security program it was that very broad idea of data security and how do we apply that to our organization third it's all about determining where you are and where you need to get to so again we go back to that roadmap concept and how do we figure out the the path that we're going to traverse from point a to point b and then lastly risk management is an integral part of the process and symposia is free so i appreciate your time today thank you for listening in the presentation and i'll be sticking around to answer any questions that you guys have so thank you very

much take care