Introduction
In the ever-evolving landscape of cybersecurity, protecting your company from threats has become paramount. As the new head of cybersecurity, one of your key responsibilities is to demonstrate the progress and improvements made to your CEO and customers. But how do you measure and present these advancements in a meaningful way? The National Institute of Standards and Technology (NIST) has stepped in to provide invaluable guidance on this matter.
Image Source: Pexels
NIST's Revised Guidance
NIST has recently released a draft publication titled "NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security." This comprehensive document offers a roadmap for creating a practical information security measurement program. It aims to help organizations develop an effective program and devise information security measures aligned with their performance goals. NIST is inviting public comments on this draft until March 18, 2024.
Going Beyond Qualitative Descriptions
Traditionally, many organizations have relied on qualitative descriptions of risk levels, using simplistic strategies like stoplight colors or five-point scales. However, NIST urges companies to communicate using concrete data instead of vague concepts. By transitioning from qualitative to quantitative descriptions, businesses can reduce ambiguity and subjectivity. For example, instead of stating a risk level as "high" or "medium," they can provide specific numerical data, such as the percentage of authorized system user accounts belonging to current or former employees.
Tailorable and Practical Approach
The draft guidance from NIST is a response to the growing availability of security-related data and the need for effective utilization. While the guidance is not prescriptive, it offers a tailorable approach that caters to different organizations' needs. Katherine Schroeder, one of the publication's authors, emphasizes the importance of finding a process to measure what matters most. Organizations don't need to crunch every number but rather focus on relevant factors that align with their goals, such as response time and impact on the mission or bottom line.
Two Volumes, Different Audiences
The publication comprises two volumes, each targeting different audiences within an organization. The first volume is primarily for information security specialists. It provides guidance on prioritizing, selecting, and evaluating specific measures to determine the adequacy of existing security measures. The second volume is designed for the C-suite, outlining how organizations can develop an information security measurement program. It offers a step-by-step workflow for implementing the program over time.
Enhancing Communication and Resource Allocation
While qualitative descriptions still have their place in certain circumstances, transitioning towards a measurement-focused approach improves communication within an organization. Using metrics as a common language bridges the gap between technical teams and management, allowing for a better understanding of information security. Metrics enable organizations to assess the effectiveness and efficiency of controls, policies, and procedures, ultimately aiding resource allocation and identifying areas for growth and improvement.
Joining the Information Security Measurement CoI
To further enhance knowledge sharing and collaboration, NIST is proposing the establishment of a Community of Interest (CoI) for information security measurement. This CoI aims to bring together individuals and organizations interested in working together to refine the body of knowledge, share expertise, and identify opportunities for growth and improvement. Those interested in joining the Information Security Measurement CoI or providing comments on the draft can email cyber-measures[at]list[dot]nist[dot]gov.
In conclusion, NIST's draft guidance on measuring and improving cybersecurity programs offers invaluable support to organizations aiming to enhance their information security. By transitioning from qualitative to quantitative descriptions and utilizing relevant metrics, businesses can effectively communicate progress, bridge gaps, and allocate resources more efficiently. Joining the growing community of information security measurement enthusiasts can provide further opportunities for learning and development. Embrace this guidance and take your cybersecurity program to new heights.
