Baking in Cybersecurity with People, Processes, and Technology
Govciooutlook

Baking in Cybersecurity with People, Processes, and Technology

Audrey Story, Deputy CIO, Acting, Director, Portfolio Management and Governance Division at Administration for Children and Families

Audrey Story, Deputy CIO, Acting, Director, Portfolio Management and Governance Division at Administration for Children and Families

Baking in cybersecurity is including risk management throughout the organization.  It is the balance with employees to act as a human barrier between the organization and security threats, establishing and executing the necessary processes in place, and investing in security technologies to implement them. The “baked in” achievement is the right combination of people, processes, and technology to evolve the organizations' security program.

People

The people, the executives, staff, and IT personnel are responsible for securing sensitive data; processes - the internal guidelines and controls the business follows to meet regulatory requirements and policies aligned to the evolving state and national regulatory framework for enterprise IT security; and technology, the combination of hardware, software, and protocols intended to protect an organization from malicious intent.

The people, process, and technology must align and integrate; alignment involves information sharing and coordination among operational managers in the different areas, as well as some coordination among the strategic planners in those areas.

Integration involves a shared understanding of threats and consequences, and closely coupled risk management strategies among the strategic planners for the different areas, possibly leading to changes in how the areas are defined or managed. Operationally, integration involves collaboration among practitioners in different disciplines.  The organization must focus on compliance with standards of good practice, so that cyber security governance is strongly identified with compliance, again, this is the “baked in methodology.”

“While organizations may never move to zero risk, however, an acceptable level of risk can be managed by “baking it in” to people, processes, and technology.”               

A successful cybersecurity approach has multiple layers of protection spread across the computers, networks, programs, or data keep safe. In an organization, the people, processes, and technology must all complement one another to create an effective defense from cyber-attacks.  The people and users must understand and comply with basic security principles like choosing strong passwords, being wary of attachments in email, and backing up data.

Processes

Organizations must have a framework, or processes to manage attempted and successful cyber-attacks. One well-respected framework, the National Institute of Standards and Technology, or NIST Cybersecurity Framework (CSF) details how to identify attacks, protect systems, detect, and respond to threats, and recover from successful attacks. NIST is one of the nation’s oldest physical science laboratories and part of the US Department of Commerce. The Cybersecurity Framework helps organizations prioritize and cost-effectively tackle cyber risks, provides a common language to discuss cybersecurity, and reference existing best practices from around the globe.

The Baldrige Cybersecurity Excellence Builder (BCEB), a voluntary self-assessment tool enables organizations to better understand the effectiveness of their cybersecurity risk management efforts and effectiveness of the NIST CSF.  The tool helps organizations identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization's mission, needs, and objectives. 

Technology

Technology is important to provide organizational resources tools to work while incorporating computer security tools to avert cyber-attacks. Three main entities to be protected are computers, smart devices, routers, networks, and the cloud.

Cybersecurity governance often contributes to components of enterprise governance that address the enterprise’s dependence on cyberspace in the presence of adversaries. It encompasses information systems security governance.  Cybersecurity encompasses all the reactive and proactive actions undertaken to ensure information systems assets are secured and available to authorized persons only.

Baking in cybersecurity is including risk management throughout the organization.  It is the balance with employees to act as a human barrier between the organization and security threats, establishing and executing the necessary processes in place, and investing in security technologies to implement them. The “baked in” achievement is the right combination of people, processes, and technology to evolve the organizations' security program.

Cybersecurity is an essential element of an enterprise risk management program.  While organizations may never move to zero risk, however, an acceptable level of risk can be managed by “baking it in” to people, processes, and technology.  With such best practices, due care, and due diligence, organizational cybersecurity becomes more effective, efficient, and secure.

Weekly Brief

Read Also

Providing the Necessary Support for an Organization's Growth

Chris Chilbert, Chief Information Officer at Consumer Financial Protection Bureau

State and Local Government Needs Lean Principles and Agile Methodologies

Kevin Gray, Chief Information Officer at City of Burbank

Data is Crucial for Emerging Aviation Technologies

By James Grimsley, Executive Director - Advanced Technology Initiatives at Choctaw Nation of Oklahoma and Lisa Ellman, Partner at Hogan Lovells LLP and Executive Director of Commercial Drone Alliance

The Crisis Facing Public Service Technology Leadership in Local Government

Jack Belcher, Phd. FRM Chief Technology Innovation Officer / Chief Information Officer, Arlington County, Virginia

An Overview of Government Consulting Services

Chad Powell, Chief Technology Officer at City of Irving