Cybersecurity: What Need to Know to Protect Your Organization

Why Cyber Risk & Cyber Security is Critical to Organization

Cyber risk and cyber security become two concepts primarily related to information technology. The incident impacts in cyber environments and the savings that could be achieved by organization through security controls are evident in business operations in terms of customers, financial costs, business advantages, organization reputation, and personal careers.

Incidents that involve unauthorized accesses of customers’ personal information can have a serious impact on the lives of people to whom the information belongs as well as to the organization. Besides losses stemming from customer-related risks, malware attacks could also cost thousands of dollars for organization by making information useless or unavailable.

In addition, in terms of business competitiveness, sensitive business information that is compromised by a cyber incident would be likely cost millions of dollars, and once an incident has been acknowledged by the public, organization will have a hard time retaining its current customers regardless of any subsequent efforts to improve its security. Lastly, for the people who are being associated with a cyber security incident, it could end their careers and subject them to the unwanted legal processes. This is especially true for top management, who has the power and duty to be diligent regarding business security.

A Framework to Strengthen Protection

Cybersecurity Framework (CSF) was created specifically to strengthen protection for companies. It is a common name of “Framework for Improving Critical Infrastructure Cybersecurity” document published by the National Institute of Standards and Technology (NIST). CSF was initially intended for U.S. companies. However, it is suitable as well to be used by any organization that faces cyber security risks, though it is voluntary.

The framework is divided into three part: Firstly, core contains an array of activities, outcomes, and references, which further organized into five functions (Identify, Protect, Detect, Respond, Recover), 22 categories, and 98 subcategories. Secondly, implementation tiers consist of four tiers: Partial, Informed, Repeatable, Adaptive used by an organization as references to clarify for itself and its partners the organization’s visions on cyber security risk. Lastly, profile is a list of outcomes that an organization can choose from the categories and subcategories.

Understanding Similarities Between NIST CSF and ISO 27001

Examine similarities of NIST Cybersecurity Framework (NIST CSF) and ISO 27001 is important for organization that already has ISO 27001 but wants to apply NIST CSF, thus the organization will understand how the two approaches can be integrated and applied together to manage cyber security risks. The following will describe several similarities between NIST CSF and ISO 27001.

First, CSF and ISO 27001 provide methodologies for how to implement cyber security and information security in an organization. Then, both approaches, security controls and safeguards are implemented only if risks are considered unacceptable and provide references for control development. After that, CSF and ISO 27001 are relying on general concepts of security, which gives organizations the freedom to adopt the technologies most suitable for their environments. Next, although CSF was created for use by U.S. organizations, it can be applicable to any type of organization as in ISO 27001. Lastly, both CSF and ISO 27001 aim to deliver business benefits through risk management, while observing legal and regulatory requirements, as well as requirements of all interested parties.

Conclusion

The incident impacts in cyber environments and the savings that could be achieved by organization through security controls are evident in business operations in terms of customers, financial costs, business advantages, organization reputation, and personal careers. To strengthen protection for companies, the National Institute of Standards and Technology has created Cybersecurity Framework (CSF) that divided into three part namely core, implementation tiers, and profile. For organization that has implemented ISO 27001 but wants to apply NIST CSF framework, examine the similarities of both approaches will be beneficial for understanding how the two approaches can be integrated and applied together to manage cyber security risks.

References

1. Advisera Expert Solutions Ltd. How to implement NIST Cybersecurity Framework using ISO 27001. Zagreb: Advisera Expert Solutions Ltd., 2017.
2. Roy, P. P. (2020, February). A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard. In 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications (NCETSTEA) (pp. 1–3). IEEE.