Security Risk & Compliance: Combining NIST Frameworks & COBIT 2019 Governance

An enterprise’s valuable information and technology assets are usually located both inside and outside of the organization, in remote locations and with third parties, which means security practitioners responsibilities have grown exponentially.

Greg Witte is a contributor to the NIST Cybersecurity Framework and has a unique viewpoint of the risk landscape associated with cybersecurity

“The greatest risk challenge has to be the continuing drive to manage cybersecurity in an increasingly diverse and mobile world,” Witte said. “So many of our IT assets are virtual, mobile and cloud-based – we face a moving security target. While there are an increasing number of tools to support these evolving environments, it is also important for organizations to ensure that policies, processes, training and monitoring are ready for these types of emerging technologies.”

Meanwhile, compliance is another risk factor that must be taken into consideration, and these tasks are not getting easier.

“Among the compliance challenges, the increasing array of requirements makes it difficult to keep up,” Witte added. “Part of the increasing complexity comes from the fact that individual states and nations are building their own criteria for security and privacy, so there’s an ever-growing list of items to track and monitor.”

Managing Growing Complexity

When it comes to staying on top of the various challenges, Witte is a strong proponent of using the NIST frameworks for cybersecurity, risk management and workforce. However, using one framework, or even a few frameworks, is usually not sufficient and, in Witte’s view, a hybrid approach is required.

“COBIT 2019 and NIST’s frameworks collaborate well,” Witte said. “COBIT supports an overarching approach while NIST supports details for organizing and communicating security plans and actions.”

Witte will be sharing insights into this approach at the breakout session he will be leading at the Infosecurity ISACA North America Expo and Conference 2019 this November.

“We’ll focus on using COBIT 2019 with the NIST frameworks to ensure an effective approach to governing and managing security and privacy,” Witte said. “The frameworks from NIST are well-focused – for example, workforce, cyber-physical systems, privacy, IoT – but they aren’t intended to support all organizational elements of information and technology.

“Using COBIT’s framework helps take a strategic approach from budgeting to planning to change management to operations. COBIT doesn’t go into the same level of detail for security as the NIST frameworks do, but using COBIT and NIST together help build and sustain what’s needed.”

Prioritizing Security Activities

“In today’s climate, it’s impossible to address every possible risk,” Witte admitted. “Even if we could prevent every feasible issue, that might mean the enterprise is not getting fair value from its IT activities or is breaking the bank just to stay ahead.”

Since enterprises can only do so much, Witte recommended taking a mission-focused, risk-based approach to cyber and privacy. Prioritize securing those risks most critical to the business model and most likely to be damaging. Create a roadmap for cyber-resiliency, focusing on the risks most likely to have an impact on the enterprise’s mission. Since cybersecurity is a strategic enterprise issue, not only an IT issue, this approach also aides in improving communication and setting direction with boards and leadership because threats are termed in the language of the business, not in technological cyber-terms.

Ultimately, compliance is important, but if practitioners are managing security risk properly, compliance should come as a by-product of making good enterprise-wide security decisions.

“Of course, we must often comply with legal, regulatory and contractual obligations, but those should not be the way we plan and achieve good governance and management – any more than we would let speed limits and vehicle safety inspections define how we operate a vehicle,” Witte said. “A common sense approach to achieving effective risk management at reasonable levels based on organizational priorities and resources is the best way to stay ahead in a changing risk landscape.

To help enterprises and security professionals with security risk and compliance, the Infosecurity ISACA North America Expo and Conference 2019 offers a diverse lineup of learning sessions for building your security knowledge from 20-21 November 2019 – register now!

What’s Hot on Infosecurity Magazine?