There is no argument that today’s cybersecurity attacks are likely a foreshadowing of more intense and harmful events to come, as seen by the growth of such incidents in the last few years alone. Cyber attackers have both the desire and the means to conduct these offenses, are organized, well supported and use more sophisticated methods.

Intersect this with the fact that our society has become highly dependent on the use of technology and connectivity through things such as mobile devices, Internet of Things (IoT), and demands to share information quickly, the need to protect against cybersecurity attacks is paramount. Couple these scenarios with the ever-increasing threats to critical infrastructure, and the stakes grow exponentially.

Recognition that the U.S. needed broad safeguards against attacks that could disrupt critical systems led President Barack Obama to issue Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The order directs the government, in collaboration with industry, to develop a voluntary risk-based cybersecurity framework. EO 13636 states: “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

The EO 13636 initiatives include:

  • Develop a technology-neutral voluntary cybersecurity framework
  • Promote and incentivize adoption of cybersecurity practices
  • Increase volume, timeliness and quality of cyber threat information sharing
  • Incorporate strong privacy and civil liberties protections into every initiative to secure critical infrastructure
  • Explore the use of existing regulation to promote cyber security

In response to the order, the National Institute of Standards and Technology (NIST) collaborated with ISACA and industry partners to create a risk-based framework focused on cybersecurity. This framework, the Cybersecurity Framework (CSF), supports quick wins by using an iterative approach to adopting a stronger cybersecurity posture.
The CSF’s components include the framework core, implementation tiers and profiles. The framework core consists of five functions (identify, protect, detect, respond and recover) and includes activities, desired outcomes, and applicable references (COBIT, for example).

Implementation tiers provide context and identify the degree to which practices exhibit the characteristics defined in the framework (comparable to COBIT process capability levels) and range from tier 1, partial to tier 4, adaptive. Profiles are outcomes based on business needs. This is the analysis of current and target profiles which help determine the prioritization of efforts based on risk. Additionally, the CSF provides implementation guidance using an iterative, flexible seven-step process.

The adoption of a framework in an enterprise can typically be boiled down to two general approaches:

1) a gradual approach, starting small and building on initial successes, and

2) going “all in” across the enterprise.

Regardless of type or size of target environment, it is generally best to use a gradual approach, which is exactly why this is a great fit with COBIT. COBIT is principles-based, provides a holistic approach for adoption of governance and management of enterprise IT, has a solid implementation methodology, and the assessment program offers a great approach based on industry standards. Therefore, COBIT is a natural fit to adopting not only governance of enterprise IT (GEIT), but cybersecurity practices based on the CSF, as well.

Organizations execute policies and deliver services through the use of processes, practices and activities. In order to adopt the cybersecurity needs within an organization, it makes sense to leverage a framework that already has industry recognition with regard to processes. COBIT’s process reference model is a well-organized and helpful reference, fitting nicely with the CSF, which, ultimately, helps enterprises achieve the governance objective of realizing benefits while optimizing risks and resources.

COBIT is also consistent with generally accepted corporate governance standards and maps to a multitude of relevant standards, frameworks and bodies of knowledge that help create a common language between IT and business yielding a more holistic, integrated and complete view of enterprise governance and management of enterprise IT that is ultimately based on stakeholder needs.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access