One main challenge for implementing proper cybersecurity policies is the fact that there is no one-size-fits-all solution. But, in some respects, this isn’t a bad thing. What solutions a business needs depends on several factors, such as size, industry, and the type of data being stored. If every business followed a single set of security solutions, some would end up over-protecting their assets, where others would be under protected.
There are, however, a number of widely accepted security standards that strike a balance, giving organizations an outline of what protocols to implement based on their overall business strategy. A good example of this is the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF).
And one misunderstood aspect of the NIST’s Cybersecurity Framework is the use of implementation tiers. Rather than being progressive levels that all business should work toward, the tiers exist to relate the firm’s approach to cybersecurity risk management as it exists today with a desired tier level that meets organizational goals and is feasible to implement. Businesses can then go through each control within the framework to address what they are doing today within their current tier context and what they want to be doing to reach their target tier.
The Tiers
Here is a brief outline of NIST’s four tier levels to help your organization begin to evaluate where you stand now, and where you want to be.
Tier 1: Partial
Organizations at this tier are considered to have no formalized risk management practice and respond to threats in a sometimes “ad hoc and reactive manner.” On the organizational level, risk management is carried out an irregular basis and without any set process to share cybersecurity information throughout the organization.
Tier 2: Risk-Informed
The risk-informed tier is for organizations that have risk management practices approved by management but might not be established across all levels of the organization. Cybersecurity processes are prioritized based on the organization’s risk level and business requirements but is only shared throughout the organization on an informal basis.
Tier 3: Repeatable
Businesses at this tier have formally approved cybersecurity policies that are well-communicated across all levels of the organization. The organization’s cybersecurity processes are regularly reviewed based on changes in threats and technology. Employees are also properly trained and able to carry out their specific roles related to maintaining the organization’s cybersecurity practices.
Tier 4: Adaptive
Finally, organizations in the adaptive tier are those where cybersecurity risk management is a part of the business’ overall culture and effectively adapt their practices based on lessons learned and predictive indicators. Cybersecurity risk and business objectives are fully integrated across all levels of the organization and are considered when making any business decisions.
Tier as a Strategic Lever
Businesses should not blindly implement cybersecurity controls. Instead, it’s important for organization to think carefully about their position with regards to risk — from the board level, to governance, to marketing — and make informed decisions on where they want it to be. A benefit of NIST’s tier system is that it can be used to benefit the overall business strategy, and not simply be an exercise in cyber risk management. That’s because a company’s position and goal with regards to any risk (from cyber risk to market risk to capital risk) is an articulation of the value it brings to its stakeholders. If a firm is currently at Tier 1 with regards to its cybersecurity, how does that impact it’s value proposition to its customers? What limitations does it impose on capital allocation? If the organization worked towards a repeatable tier, what opportunities would be unlocked (and conversely, what markets would they perhaps walk away from)?
Businesses which view the concept of tiers and cybersecurity risk as value creators rather than a compliance exercise will find that it creates sustainable advantages in a marketplace more engaged and attuned in digital protection and privacy.
