“You know, if you ask a professional athlete what the hardest thing is to do in sports, they’ll all say hit a baseball, but a coach once told me that the hardest thing to do in sports is to walk into your Superbowl locker room at half time and change the strategy that got you there ’cause it’s no longer working.” – The character of President Josiah Bartlett on “The West Wing”.
Even if you’re not a West Wing fan, you can appreciate the challenge implied in the above quote. And, if you deal with protection of data and the resiliency of information systems at work… that quote may hit extra close to home.
The way the majority of businesses today are protecting their data and increasing the resiliency of their systems isn’t working anymore. It may be showtime for your company, but if the data protection and resiliency strategies are no longer working… it’s time to throw out that one and get a new one.
At the end of September, the National Institute of Standards and Technology (NIST), announced the release of a Discussion Draft of Special Publication (SP) 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. According to DataBreachToday, this is the first time in 7 years the document has been opened for revision.
One of the major goals of the update is to remediate the miscommunication and disjointed nature of the C-Suite level of the organization and the implementers of the protection and resiliency systems. In the DataBreachToday audio, NIST Fellow Ron Ross explains that the first Risk Management Framework relied on organizations employing the framework at the systems level. Because the systems level doesn’t always communicate well with the C-level, misunderstanding, miscommunication and misalignment of protection resulted.
The new framework throws out the strategy that got us where we are today. Instead, it seeks to involve the C-level in the risk management framework decisions from the start then integrates that framework down to the systems level.
“Senior leaders have a lot on their plates. They deal with a lot of important issues within an enterprise.” Ross explained in the interview. “When you look at security and privacy components of risk management, those are really only 2 of many things senior executives have to worry about. There’s programmatic risk, budget risk, reputation risk; all these things are coming together and have to be dealt with, so the things that we do in the NIST publications that deal with security and privacy are feeding a larger enterprise-wide risk management process. Where, those are fed into, and taken into account, as you’re making those larger more holistic risk management decisions for the enterprise.”
As a cloud provider involved in the protection and resiliency of business applications, we absolutely see this battle play out in front of our eyes. We see it firsthand when large enterprise organizations are protecting their business’s data with tape backups, because “modernizing backups” isn’t on the budget list for this year. We see it firsthand when we watch IT struggle to communicate the business value of their needs to the C-level and get shot down in favor of funding the next best thing. We see it when the C-level can’t communicate to the systems-level in a way that demonstrates the true end goal they’re trying to accomplish, instead placing more “check the box” demands on the systems-level administrators.
We have to throw out the strategy that got us here. When the internet was created its audience was primarily government and educational institutions. Security and privacy simply were not prioritized in the early designs. As the world got more connected, we began protecting data and systems as they needed to be protected, system-by-system, architecture-by-architecture. Very few businesses sat down at the c-level and said, “How can we mitigate our data protection risk and maintain a digitally resilient business to improve our business model?” Those conversations spark incredibly different outcomes than someone asking, “How fast can we recover if something goes wrong?”
We have to throw out the strategy that got us here today and change the conversation, from the top down. Data protection cannot be a silo, or it will not work. Resiliency cannot be simply an IT initiative, or it doesn’t have the foundation it needs to build upon and succeed.
The NIST Risk Management Framework discussion draft is exciting because it recognizes that for businesses to succeed at mitigating IT risk in today’s world, we have to involve the C-level from a business risk perspective. We have to get better at speaking each other’s languages and we have to give everyone a broad stake in the success by involving groups across the business in the implementation and strategy of IT risk mitigation, security and privacy.
The discussion draft is currently open for comment and according to DataBreachToday, the updated framework is expected to be published in February 2018.