Home  /  Empower and Protect  /  How to Operationalize Cyber Risk Management Frameworks

How to Operationalize Cyber Risk Management Frameworks

By Rick Tracy •  May 5, 2016
NIST SP 800-53

I previously discussed what constitutes a reasonable cyber risk management practice, and suggested that the NIST Cyber Security Framework (CSF) is an excellent option for this purpose.

Though many companies appear to like the NIST CSF, there are concerns about resource requirements and the overall effort needed for implementation.  These are both legitimate concerns and potential issues with all available frameworks.

The problem with in-house and manual methods

Not all companies have the internal expertise needed to operationalize a cyber security framework like the NIST CSF.  That lack of expertise requires them to hire or contract for this skill.  Because skilled cyber security personnel are in short supply, they are also expensive.  Many companies cannot afford to hire dedicated resources to enable cyber risk frameworks.

Additionally, purely manual methods of implementation do not scale well.  This is especially true for larger companies that have multiple divisions and locations where many resources would be required.  Beyond scaleability, enterprise-wide standardization, consistency and accuracy are also difficult to achieve using only manual methods.

In fact, due to the importance of cyber risk management and demonstrating due-care and regulatory compliance, there is an emerging need to maintain a database of record.  There must be a database to serve as an official body of evidence for the corporate cyber risk and compliance management process.  Simple management tools such as spreadsheets are not adequate for this complex business process, just as they’re inadequate for other complex business functions like CRM and ERP.

IT-GRC is ideal for cyber risk and compliance management

Generally speaking, IT-GRC solutions are ideal for the purpose of enterprise-wide cyber risk and compliance management.  As a matter of background, IT-GRC isCompliance_Square an outgrowth of the current Federal Government A&A process that has been in existence since the 1980s.  A&A is a comprehensive cyber risk and compliance management process that relies heavily on testing, attestation, evidence, and artifacts to demonstrate controls-compliance, which in turn is used to derive a coherent statement of cyber risk.

Telos was an early provider of C&A (now A&A) services, and was the first to automate the C&A process in 2000.  In 2002, we demonstrated our technology to Mike Rasmussen, a prominent industry analyst, who credits Telos as the catalyst for the IT-GRC product market:

“In the late 1990s it occurred to me there had to be a better way to manage risks, policies, controls, and compliance requirements, and do this in the context of each other. In February 2002 a solution provider named Telos Corporation demoed their Xacta solution to me, which did just that. It struck me that this is exactly what I had envisioned.”  — Mike Rasmussen, GRC2020

IT-GRC platforms like Xacta AE allow organizations to quickly and efficiently operationalize frameworks such as the NIST CSF, ISO 27001, and the NIST RMF.  Our platform reduces the need for dedicate framework expertise, because essential framework elements are baked into the software.  Xacta AE simply allows personnel to participate in the cyber risk and compliance process according to their defined role, while the embedded workflow allows people to collaborate in an integrated process across an enterprise to achieve all of the necessary risk and compliance management steps.

As a result, the organization is able to get its arms around the complex process of cyber risk and compliance management.  This process will yield a comprehensive understanding of cyber risk and compliance that will help organizations make informed decisions that will ultimately make the enterprise more secure.  Perhaps just as important, such platforms help organizations demonstrate a standard of due care that will be helpful if there is ever an official inquiry resulting from a data breach.

The next blog post in the series will focus on the benefit of IT-GRC platforms for communicating cyber risk to boards of directors and corporate officers.

Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

3 − three =