The National Institute for Standards and Technology has published a draft questionnaire that companies and other organizations can use to assess their cybersecurity “maturity” — a response, NIST says, to demand from the private sector.
Boosters say the document will help specialists explain the importance of cybersecurity to the company’s bottom line — the “holy grail” of business cybersecurity. But some critics have questioned how useful it will be to smaller companies.
The Baldrige Cybersecurity Excellence Builder is one of a number of tools NIST offers that are named for the Reagan-era Commerce Secretary Malcolm Baldrige, credited as one of the leaders of the quality management movement in the 1980s.
It’s designed to walk organizations through the process of figuring out “how to integrate cybersecurity risk management … into larger enterprise business practices and processes,” Matthew Barrett explained to FedScoop. Barrett is the program manager for the NIST Cybersecurity Framework — a document that catalogues the five areas of cybersecurity every company needs to know: identify, protect, detect, respond and recover.
Less of an art, more of a science
According to IT research company Gartner, the framework has been adopted by 30 percent of U.S. organizations since it was published in February 2014. That figure is expected to rise to 50 percent by 2020.
But Barrett said the draft excellence builder could be used by companies that don’t employ the framework. “You could be using [International Standards Organization standard] 27001 or COBIT, and it will still be useful.”
Regardless of the standards a company is using, “There are difficult trade-offs to be made” integrating cybersecurity risk management into business practices, Barrett said.
The excellence builder is designed to make “those difficult decisions … less of an art and more of a science,” Barrett said.
NIST is accepting formal comments on the draft until Dec. 15, he added.
Barrett said there were two main audiences at whom the document was aimed: Cybersecurity specialists within an organization and business executives more generally, “the people who run the lines of business” — human resources, sales, operations — “that make the company run … They need it to understand why and how cybersecurity is important to them.”
For the cybersecurity specialists, he said, it will “help them articulate cybersecurity’s impact on [the company’s] finances,” which he called “a holy grail.”
Moving the needle
The draft excellence builder was released Sept. 15 at the Internet Security Alliance’s annual conference in Washington, D.C. by Deputy Secretary of Commerce Bruce Andrews who said it “answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework.”
The questionnaire enables companies to assess the maturity of their cybersecurity practices on a four-stage scale: “reactive,” “early,” “mature,” or “role model.”
“The self-assessment criteria are basic enough that they could apply to organizations of any size,” said Barrett. But critics aren’t so sure.
Larry Clinton, founder and CEO of the alliance, called the excellence builder “a pretty sophisticated tool,” but added that meant it was really most useful to larger enterprises.
“Most companies of that size already have self-assessment programs they’ve developed” which take into account their particular sector, market etc., he said. “The much greater need is for smaller businesses, who are overwhelmed by the NIST framework.”
“We need to be focussing on the area of the greatest need … which is smaller companies.”
For those businesses, he said, “I don’t see how this moves the needle.”
It’s the journey, not the destination
During the public comment period, Barrett said, he expected to see a great deal of discussion on the topic of measurement.
The self assessment element of the excellence builder “helps you figure out where you are on the [maturity] scale,” he said. But that was likely to prove controversial.
“Measurement [of cybersecurity] is universally considered both very important and very difficult,” he said, adding that was why the Baldrige document was important.
The Baldrige name has also become synonymous with a series of quality management awards, bestowed by the federal government and awarded by the president himself.
But regardless of the prestige attached to the award, Barrett said “The recognition is less important than undergoing the process” of implementing Baldrige quality management practices.
“The journey is much, much more important than the destination,” he said.