Blog #5 of ~15 in ECRM Framework & Strategy Series

Selecting and Adopting an ECRM Framework, Process, and Maturity Model

If you are starting this ECRM Framework & Strategy Series here, with Blog #5, you may wish to review some previous posts:

• #1, Introduction – Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy
• #3, Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance
• #4, Basic Cyber Risk Management Terminology

In each post in the series, I cover one or more aspects of developing your ECRM Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series aims to explain what content is needed in each area and provide a good start on developing and documenting your ECRM Framework and Strategy. 

Introduction

Topics and sections of the ECRM Framework and Strategy covered in this post are:

11. ECRM Framework
12. ECRM Process
13. ECRM Maturity Model

(For the full Table of Contents, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

A framework, a process, and a maturity model are three essential building blocks of your approach to ECRM. Establishing the framework, process, and maturity model by which your organization will conduct its ECRM work enables the incorporation of ECRM into ongoing strategic decision-making and business planning.

10.  ECRM Framework

Think of an ECRM Framework as a tool—an architectural blueprint, as it were—that will facilitate articulating your desired cybersecurity outcomes. In this context, it will help you document what you must achieve to manage cyber risks.

Like many terms in cybersecurity and cyber risk management, there often needs to be clarity over what constitutes a framework and, therefore, what may be available for your use.  One resource listed these seven: NIST Cybersecurity Framework, ISO 27001 and ISO 27002, SOC2, NERC-CIP, HIPAA, GDPR, and FISMA.[1]  Another article listed twenty-five frameworks, including a mixed bag of control checklists, security standards, security R&D centers, and maturity models.[2]  Yikes!  Seriously?

The framework which I recommend is the Cybersecurity Framework created by NIST.[3] An industry colleague who worked on the task force that produced the Report on Improving Cybersecurity in the Health Care Industry[4] once described the NIST Cybersecurity Framework to me:

“The NIST Cybersecurity Framework provides a template for your organization’s cybersecurity framework. The rest is up to you. It’s like having a palette of colors to paint a canvas. The colors are what you combine to create your painting; your painting is going to be what cybersecurity looks like for your specific organization. The NIST Cybersecurity Framework gives you that palette to start with.”[5]

As you may know from my writings, I advocate the NIST approach to cyber risk management.  Among the numerous features and benefits of leveraging these free resources is that they, including the Cybersecurity Framework, are industry agnostic.  In chapter 10 of Stop the Cyber Bleeding[6], I describe the many specific benefits of a NIST-based approach to ECRM.

The critical takeaway is that selecting and adopting an ECRM Framework is essential. I recommend that you consider adopting the NIST Cybersecurity Framework to help align and articulate your desired ECRM program outcomes with our organization’s vision, mission, strategy, values, and services.

11.  ECRM Process

If your ECRM Framework details “what” cyber risk management outcomes you must achieve, your ECRM Process describes the “how” you will achieve them. It describes specific, repeatable steps your organization will take to conduct ECRM.

The cyber risk management process I recommend is based on Managing Information Security Risk (NIST Special Publication 800-39)[7] and is composed of four basic steps, each of which informs the other steps in the process:

1. Frame risk. That is, establish the context for risk-based decisions, your overall approach to, and your desired outcomes of your ECRM program discussed above. In fact, setting your ECRM Framework is completing this framing step.
2. Assess risk. In other words, identify your exposures via an enterprisewide, comprehensive risk assessment. NIST has published a separate guide for risk assessments, NIST SP 800-30 Guide for Conducting Risk Assessments.[8]
3. Respond to risk. In this step, your organization focuses on making risk treatment decisions and executing risk treatment actions. As we will discuss further, this step involves deciding whether to accept, avoid, mitigate, or transfer risk.
4. Monitor risk on an ongoing basis. Risk management is more than just a once-and-done proposition. It is a continuous process, which should include a feedback loop for process improvement and consideration of internal and external changes.

The second building block of your ECRM program, and an essential part of your ECRM Framework and Strategy, is your ECRM Process. I recommend that you adopt NIST-based ECRM processes (as described in NIST SP 800-39 Managing Information Security Risk and NIST SP 800-30 Guide for Conducting Risk Assessments).[9]

12.  ECRM Maturity Model

In general, a maturity model is a “tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance.”[10]  

As it relates to ECRM, a maturity model helps your organization identify your current cyber risk management maturity level about specific capabilities, facilitates the establishment of goals for performance improvement, and allows your organization to set priorities for improvements aimed at achieving your desired maturity level.

Again, there are multiple points of view on what constitutes a maturity model.  The same resource that cited seven cybersecurity frameworks published another article that listed two of those seven frameworks—NIST Cybersecurity Framework and ISO 27000—as maturity models.[11]  While some will disagree, the so-called tiers detailed in the NIST Cybersecurity Framework are not intended to be used for maturity modeling, “…Tiers do not represent maturity levels.”[12]

What’s important is that your organization chooses a maturity model focusing on continuous process improvement.  Recent research by the Deloitte Center for Health Solutions underscored the importance of having a maturity model in place.[13] Deloitte interviewed 18 CISOs, CIOs, and C-suite executives from biopharma companies, medical device manufacturers, health plans, and health systems involved in making cybersecurity decisions.[14] All of the interviewees—without exception—use maturity models in their presentations to boards and leadership.[15]

The maturity model provides a mechanism for determining whether your ECRM program is improving over time. Based on my work with organizations in a number of industries, I recommend focusing your ECRM maturity model on improving five key capabilities:

1. Governance
2. People
3. Process
4. Technology
5. Engagement

I describe this maturity model I created in Stop the Cyber Bleeding[16].

Others will take a different approach.  Some organizations have successfully adopted and adapted the Capability Maturity Model Integration (CMMI) developed by Software Engineering Institute at Carnegie Mellon University as their cyber risk management maturity model.^[17]  With the so-called Cybersecurity Maturity Model Certification (CMMC 2.0)[18] becoming mandatory for defense contractors and subcontractors starting in 2024, I expect many organizations will adopt CMMC 2.0.

What is important is that you focus on improving your ECRM effectiveness. Think about the four-step management model called the Deming Cycle. The four steps in this model are Plan, Do, Check, and Act.[19]

Summary

It is essential to set the ECRM framework, process, and maturity model by which ECRM will be performed consistently throughout your organization. This means the C-suite and board should consult with internal and external subject matter experts to understand the alternatives for a framework, a process, and a maturity model, respectively.

In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.  Setting your ECRM framework, process, and maturity model will go a long way toward meeting these forthcoming requirements.

My Stop the Cyber Bleeding | Putting ECRM Into Action YouTube channel includes brief video clips covering many of the topics in this series and may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.

In the next post in this ECRM Framework & Strategy Series, I will discuss Risk Rating and Risk Appetite <<future hotlink>>, an essential input into making informed risk treatment decisions.

Questions Management and Board Should Ask and Discuss

1. Do you believe your C-suite and board are fully exercising their leadership, oversight, and fiduciary responsibilities concerning ECRM?
2. Considering the table of contents above, to what degree has this content of your ECRM Framework and Strategy been created?
3. Has your organization chosen an ECRM Framework? Is it working effectively?
4. Has your organization chosen an ECRM Process? Is it working effectively?
5. Has your organization chosen an ECRM Maturity Model? Is the effectiveness of your ECRM program improving?
6. Do you have the internal resources with the appropriate skills, knowledge, and experience to undertake the work of establishing your ECRM Framework, ECRM Process and ECRM Maturity Model?
7. Do you think engaging an experienced, reputable ECRM partner would be valuable to establish, implement, and mature your organization’s ECRM program?
8. Can you meet the future documentation requirements of Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks today?

Endnotes

[1] Cisternelli, Eric. Bitsight. “7 Cybersecurity Frameworks That Help Reduce Cyber Risk”. August 15, 2022. Available at https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

[2] SecurityScorecard. “Top 25 Cybersecurity Frameworks to Consider.” March 23, 2021. Available at https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider

[3] Cybersecurity Framework. NIST. (n.d.). Accessed January 28, 2022. Available at https://www.nist.gov/cyberframework

[4] HEALTH CARE INDUSTRY CYBERSECURITY TASK FORCE. “REPORT ON IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY.” June 2017. Available at https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf

[5] Rob Suárez, CISO, BD (Becton, Dickinson, and Company) quoted in “Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework in Healthcare Organizations.” Clearwater. October 10, 2017. Available at https://clearwatercompliance.com/wp-content/uploads/2017/10/Choosing-an-IRM-Framework_The-Case-for-the-NIST-CSF-in-Healthcare_Clearwater-White-Paper.pdf?utm_campaign=White%20Paper%3A%20NIST%20Cybersecurity%20Framework

[6] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[7] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[8] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf; and Guide for Conducting Risk Assessments. NIST Special Publication 800-30, Revision 1. National Institute of Standards and Technology (NIST). September 2012. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

[9] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf; and Guide for Conducting Risk Assessments. NIST Special Publication 800-30, Revision 1. National Institute of Standards and Technology (NIST). September 2012. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

[10] Martin Fowler. MaturityModel. August 26, 2014. Available at https://martinfowler.com/bliki/MaturityModel.html#targetText=A%20maturity%20model%20is%20a,order%20to%20improve%20their%20performance.

[11] Bitsight. “Cybersecurity maturity model”. n.d. Accessed January 28, 2023. Available at https://www.bitsight.com/glossary/cybersecurity-maturity-model

[12] Cybersecurity Framework. NIST. (n.d.). Accessed January 28, 2022. Available at https://www.nist.gov/cyberframework

[13] “Communicating the value of cybersecurity to boards and leadership: Seven strategies for life sciences and health care organizations. A report by the Deloitte Center for Health Solutions.” Deloitte Insights. 2019. Available at https://s3-prod.modernhealthcare.com/2019-05/DI_Value-of-cyber-investments.pdf

[14] “Communicating the value of cybersecurity to boards and leadership: Seven strategies for life sciences and health care organizations. A report by the Deloitte Center for Health Solutions.” Deloitte Insights. 2019. Available at https://s3-prod.modernhealthcare.com/2019-05/DI_Value-of-cyber-investments.pdf

[15] “Communicating the value of cybersecurity to boards and leadership: Seven strategies for life sciences and health care organizations. A report by the Deloitte Center for Health Solutions.” Deloitte Insights. 2019. Available at https://s3-prod.modernhealthcare.com/2019-05/DI_Value-of-cyber-investments.pdf

[16] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[17] Software Engineering Institute. Carnegie Mellon University.” CMMI for Development, Version 1.3.” November 2010. Available at https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=9661

[18] Office of the CIO. Department of Defense. “CYBERSECURITY MATURITY MODEL CERTIFICATION”. Accessed January 28, 2023. Available at https://dodcio.defense.gov/CMMC/ 

[19] “Plan-Do-Check-Act Cycle,” U.S. Department of Health and Human Services, Agency for Healthcare Research and Quality, Health Information Technology. (n.d.). Accessed October 24, 2019. https://healthit.ahrq.gov/health-it-tools-and-resources/evaluation-resources/workflow-assessment-health-it-toolkit/all-workflow-tools/plan-do-check-act-cycle