“Technology is a Useful Servant but a Dangerous Master”
-Christian Lous Lange
When technology was introduced to the world, it was like a virus that continued to spread and couldn’t be stopped. Technology is compared to as magic. It has allowed users to exceed humanity according to Einstein. It awed the world with its creations, but it also created a world of monsters taking advantage of all the opportunities that it has to give. It gives people chances, but it also can take it away by reducing human efforts that can lead to illnesses and other harmful ways. As technology advances, security matures and all of its controls and strategies continues to adapt to create what is called cybersecurity framework.
To understand cybersecurity frameworks, we have to understand what cybersecurity is and what it does for us. Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. In today’s technical world, we all have become accustomed to the revolutionary blast of technology. Most people wouldn’t know how to survive without it. Technology has found a way to impact our lives because of the many advantages like easy accessibility, saving time or better communication, etc. These advantages can easily be are weaknesses. Anything that relies on the internet or is connected can be affected by a security breach. Technology has made users too comfortable and dependent, which has created the lack of sense of protection when it comes to private information online. One single vulnerability is all an attacker needs to get your system. Whether it’s our easy access passwords, the websites we visit and countless more so, we as users have to be more aware. Cybersecurity is there to prevent cyber-attacks which are normally aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Frameworks are voluntary guidance based on guidelines, standards and practices for organizations to use to manage, reduce and improve risks. Putting the two together creates guidelines and practices for organizations to better manage and reduce cyber risk.
I believe everyone should listen to the wise words of David Bernstein when he stated “With every lock, there is someone out there trying to pick it or break in.” This quote is not only true personally when we think about our house and phones but also professionally in the workplace with our badges and logins. A lot of people don’t understand why companies and institutions are constantly working to protect themselves with increasing security measures. They feel like it’s a waste of time, it’s repetitive and even some say it’s not important. However, there are many challenges to building and running a security program. The most effective way is to use a security framework that is customized to define policies, meet business objectives and have management controls within the organization. That is why my organization will be a private sector like homeland security. Organizations like Homeland Security mission is to secure the nation from the many threats we face. As the complex threat environment continues to evolve and appear, the Department will embody the relentless resilience of the American people to ensure a safe, secure, and prosperous Homeland. To do that our national security depends on a stable, safe and resilient cyberspace. Cyberspace is vulnerable to a wide range of risks both physical and cyber threats and hazards. As a result, I chose NIST, a Framework for Improving Critical Infrastructure Security.
In 2013, executive order 13636 was signed by President Barack Obama with the objectives for establishing a cybersecurity framework to help protect the nations critical infrastructure. This framework that is known as NIST was required to identify security standards and guidelines applicable across sectors of critical infrastructure, provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, help owners and operators of critical infrastructure identify, assess, and manage cyber risk, enable technical innovation and account for organizational differences, provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services, include guidance for measuring the performance of implementing the Cybersecurity Framework and identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. Six years has passed since NIST was introduced and it has done nothing but evolve just like the world is doing on an everyday basis. It has built its success on the five functions: identity, protect, detect, respond and recover. Although there are many pros to the particular framework, there are a few cons. Resources will always be a number one problem with anything technology. As the cyber world continues to change, it is hard to catch up with the right technology to solve the problems. Reasons can come from the budget, advancing threats and many more. Although NIST is not 100% perfect, it still encourages organizations to utilize its process to improve risk security.
Cybersecurity frameworks does not just cover businesses and the government. Security practitioners are faced with numerous amounts of frameworks and each highlight specific qualities that are very beneficial to multiple organizations. Another framework I would chose would be ISO 27001/ 27002 also known as International Standards Organization. This framework can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides methodology for the implementation of information security management in an organization. There are many benefits to ISO which includes increasing reliability and security of systems and information, improving customer and business partner confidence, increasing business resilience, alignment with customer requirements and improving management processes and integration with corporate risk strategies. By doing so it shows that a business/organization has protected information from getting into unauthorized hands, ensured information is accurate and can only be modified by authorized users, assessed the risks and mitigated the impact of a breach, and has been independently assessed to an international standard based on industry best practices. With the help of ISO standards, organizations can manage the security of their assets, including financial information, intellectual property, information and details about employees, and all other information entrusted to the organization or a third party. ISO has been able to control IT risks, confidentiality of information and a structured method along with considerably more to come. Though ISO has a profuse long lists accomplishments and benefits, ISO has a lot of cons that could be considered huge drawbacks. Some including time consumption, high project costs, multiple restrictions, lack of equipment and also constantly being misunderstood. ISO is solely relied upon, but it also weakens the purpose of how it's conceived. As an organization the main reason (con) for not choosing this framework is because ISO mainly focuses on giving users the best practice management framework for implementing and maintaining security. In other words, in an organization we have to decide on a risk method and implement a risk assessment, select our security controls and ensure that these are enough to meet the security needs of the organization. This requires information risk management and security expertise to implement. ISO 27001 does not tell you how to do this, but instead provides a framework within which to do it. However, it does not provide detailed guidance for your organization, the information that you handle, and the systems that you use. For the type of organization that I have, ISO is not the best for private sector organizations because a good framework requires both to implement an information security risk assessment and to define the required security controls.
Current events today may not be current tomorrow in the cyber security world because it moves fast, it’s faced with numerous threats and risks on a daily basis. Businesses are constantly redesigning and updating their programs with their policies and procedures. It is important for businesses and citizens to utilize frameworks and all that the government is creating to ensure a safer world in person and in cyberspace. As the number of cyber attacks continues to rise, businesses are under a lot of pressure but we have to recognize that understanding and implementing standard frameworks like NIST & ISO 27001/27002 is no small task it takes time to identify the thousands of risks and threats they face 24/7 around the clock and across the world.