How To Add Cyber Quantification & Budget Approval to the NIST Cyber Security Framework
Framework, framework on the wall, who is the most used by Cyber Professionals of them all?
From what I have seen – the answer is NIST – and in my opinion, with good reason.
It’s not a surprise that NIST is used by so many Cyber Professionals because it provides a very clear structure to our approach for cyber security procedures.
I am not going to go deep into the NIST framework because there are many different elements to it and I’m sure there are people who know it much better than I do.
But NIST is something I have personally experienced, seen implemented, and used myself.
I’ve also used it as part of a project with our partners and users in the Boardish eco-system and I wanted to focus on why Boardish fits in perfectly with NIST!
Information gathering is the MOST critical first step of any cyber security process, and this forms the basis for the ‘Identify’ column of NIST.
In my previous article “5 Steps for CISOs starting in a new company” I focus a lot importance of understanding the Business Environment and then doing the Risk Assessment process.
I believe there is a missing step in practice between Identify and the next steps.
When identifying using NIST, if you have your risk assessment and Identification tools, or you’re doing it manually, you usually do not require an additional budget.
In my experience, most of the Cyber Professionals I have worked with are doing this internally with their teams or using existing budgets for Risk Management consultants.
But other parts of NIST usually require you to know if you will need additional solutions or resources or not. And this involves getting additional budget approval.
The missing part here is “Do we require budget approval?” to move onto the next steps of ‘Protect / Detect / Respond.’
If we do require budget approval – we will need to Quantify the information we gathered in the Identify section to make it into information that your decision-makers can quickly act upon.
Commonly this is where things stall and make businesses less responsive. If internal or existing resources aren’t enough, it requires budget adjustments, or proposals to the board.
And that’s the step Boardish helps with.
So how do you use the Boardish Budget Approval framework with NIST, and WHEN do you Quantify the Risk?
I believe that Cyber Risk Quantification should be done as the “last step” in the Identify section and when you can do it much more efficiently (with Boardish – shameless plug) quantification doesn’t have to be reserved for annual budgets.
It can improve the entire internal risk management with your team.
You input your Business environment & Risk Assessment information into Boardish to receive clear quantification of the Threats and the real cost to remediate them.
This allows you to better view the cost and impact comparison for approvals, as well as in-house risk assessment practices.
This will allow to have all the info you need in the Identify part, have a Risk Assessment strategy with clear financial figure of “how much you need” in order to Protect > Detect > Respond and recover.
Eli Migdal – Co-Founder of Boardish