Finding a framework for managing cybersecurity

How does an organization determine its cybersecurity maturity and – in particular – whether it has the framework, model and compliance to work with controlled or otherwise vulnerable data.

This area is critical in the new normal of remote work environments: the Ladders Quarterly Remote Working Report showed “18 percent of all professional jobs are now remote” and an estimated 20 million-plus professional jobs “will not be going back to the office after Covid”.

This change to more permanent remote work opens the door for substantial, increased security risk across all organizations and government agencies. For example, starting with equipment, a company might own the laptop its employee uses remotely but its connectivity is still going through a personal internet router, likely to be out of their control.

A recent cyber-attack in the USA targeted personal routers with malware. The resolution involved re-setting the router to factory settings and changing the password. But was this a widely-known and understood issue among consumers?

If organizations aren’t thinking about security from a best practice perspective, this is opening the door to some big issues. But it’s also about getting the balance right.

Sufficient cyber security versus the ability to function

From a cybersecurity professional’s perspective, a security model tends to focus on intrusion and “hardening”. This isn’t surprising because the stakes are high: a user clicking on an email link can cause an entire hack to happen, leading to data theft and a potential ransom demand to get it back.

While few companies enjoy high maturity in cybersecurity, hackers’ maturity is only getting higher – and if companies don’t step up, their technology users won’t understand the threats and will make mistakes.

However, the problem with locking down systems is the disconnect with users’ need for usability. Instead, security needs a framework that works symbiotically with people so they can do their jobs without it becoming the “Wild West” for critical systems.

So, where should companies begin when selecting a framework?

Frameworks for cybersecurity – missing the “how”

The subject of maturing security models is a hot topic across the globe now. Many "new" (or revamped) cybersecurity models are popping up due to the fallout from the pandemic and increased remote work, making cybersecurity more critical than ever.

These "new" models use components (in part or whole) of ISO and NIST cybersecurity frameworks, which define requirements (e.g., the what and why) but in most cases don’t address fully – or at all – the how of best practices.

Additionally, many cybersecurity models lack integration guidance across other models and organizational units. The result is a disjointed and confusing effort that leaves organizations to piece together disparate industry-standard models with their existing environments.

ITIL 4 – structure and stability for cyber security

ITIL 4 best practice, in the context of cybersecurity, is the “legs” beneath the security “table”; providing a structure and stability that ensures the approach companies take is solid.

Importantly, ITIL 4 provides guidance for how to adopt, utilize and integrate cybersecurity best practices. ITIL fits the bill because it’s based on not just one element but the entirety of the service value system. If your organization has followed, integrated and communicated the best practice approaches in ITIL, I would bet you have heightened your chances of being cybersecurity compliant.

Specific guidance in ITIL 4’s information security management practice notes how it should be part of all planning activity, considered in all improvements so not to create vulnerabilities and understood by all stakeholders. Information security should also be built into all components and any security incidents require detection and correction.

Ultimately, the ITIL framework ensures an organization is doing the right thing and creating a security structure which is the best defensive offence you can have.