Lockheed Martin: Lockheed Martin introduced its Cyber Resiliency Level (CRL) Framework and corresponding Scoreboard in 2018, illustrating a more formalized approach to measuring cyber resilience during this period. The company’s Cyber Resiliency Scoreboard includes tools like a questionnaire and dashboard for measuring the maturity levels of six categories, including Cyber Hygiene and Architecture.MIT: The Balanced Scorecard for Cyber Resilience (BSCR) provides insight into financial and operational performance by combining information about core activities that might otherwise be isolated from each other.USDA: The USDA Cybersecurity Scorecard created with the Farm Service Agency emphasizes a balanced scorecard approach aligned with the NIST framework, focusing on areas like compliance, vulnerability management, and incident response. Aligning with the NIST framework ensures that the USDA adopts a comprehensive, standardized approach to cybersecurity that is recognized and utilized across various industries. This alignment enhances the organization’s ability to manage and mitigate risks effectively while ensuring that all aspects of cybersecurity, from prevention to response, are systematically addressed.Malini Rao: Rao’s CISO Operational Balanced Scorecard distinguishes between transformational and operational aspects, offering a dual approach to align cybersecurity with strategic business objectives. She champions scorecards for helping CISOs “gain trust by proactively reporting metrics”¦ that can identify weaknesses and prioritize areas for improvement.”While there is no “one-size-fits-all” approach to a cyber resilience scorecard, there are certain elements that they typically have in common. Whether you’re considering an existing cyber resilience scorecard or designing your own, look for this basic framework:
Risk assessment: Evaluating potential cyber risks and their impact on the organizationSecurity controls: Reviewing the effectiveness of implemented security measuresIncident response: Assessing the readiness and response strategies for potential cyber incidentsRecovery capabilities: Measuring the ability to recover from a cyberattack with minimal disruptionBuild your own cyber resilience scorecardFollow these key steps to make a cyber resilience scorecard that’s effective for your particular situation:
Assessment and goal setting: Begin by assessing your current cybersecurity posture and defining what cyber resilience means for your organization. This could involve setting goals for recovery times, reducing the impact of breaches, or enhancing system redundancies.Framework development: Develop a scorecard that aligns with your cyber resilience goals. This should include a blend of quantitative and qualitative metrics, such as recovery time objectives, employee training levels, system backup frequency, and the integration of cybersecurity in business continuity planning.Regular monitoring and reporting: Establish a routine for monitoring performance against the scorecard metrics. This monitoring should be an integral part of the cybersecurity governance process, with regular reporting to key stakeholders, including the board of directors.Continuous improvement: Use insights gained from the scorecard to drive continuous improvement in your cyber resilience strategies. This could involve adjusting cybersecurity policies, investing in better incident response technologies, or enhancing employee training programs.Board involvement and oversight: Ensure that the board of directors is actively involved in overseeing the implementation of the scorecard. Their strategic insight and oversight will be crucial in aligning cyber resilience efforts with broader business objectives.By prioritizing cyber resilience and adopting tools like a scorecard, organizations can not only mitigate the impacts of cyber incidents but also bolster their competitiveness and sustainability. Rao recommends using AI and automation to enhance cyber resiliency reporting, like generating weekly and monthly scorecards. And don’t forget your supply chain, she stresses: Businesses should align their third-party partners to report scorecard metrics too.Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.This article was written by Tony Bradley and originally appeared in Focal Point magazine.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3835902/is-your-enterprise-cyber-resilient-probably-not-heres-how-other-boards-fixed-that.html
