role to advance cyber resilience in support of business ... › sites › insidecybersecurity.com...

The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.

15 December 2016

Mr. Robert Fangmeyer

Director of the Baldrige Performance Excellence Program

Directors Office Baldrige Performance Excellence Program

National Institute of Standards and Technology

100 Bureau Drive

Gaithersburg, MD 20899

RE: Response comment on draft Baldrige Cybersecurity Excellence Builder

Dear Robert,

Our Forum’s Role to Advance Cyber Resilience in support of Business Excellence The Global Forum for Advanced Cyber Resilience brings private and public organizations together to collaborate. Our focus

is around the use of best practices, and lessons learned associated with the utilization of cyber resilience in support of each

organizations mission.

We provide support for ‘private and public’, ‘private to private’ and ‘internal’ collaboration. The result is a better

understanding of what is reasonable and prudent for the individual participant organizations. As a not for profit we focus

on what is of common interest across all participant organizations to provide a foundation and understanding of this

value. We believe there is greater value for this collaboration to be coordinated from outside of the government and our

participants agree.

We have attached comments on three sections of questions from the ‘Baldrige Cybersecurity Excellence Builder’ Draft. We

believe our comments will help organizations focus on the importance of cyber resilience in supporting their mission and

customers by discovering reasonable and prudent approaches to business value underpinned by cyber resilience.

We intend to continue to include discussion about business excellence in our forum activities and will continue to provide

information useful for business excellence.

Please also find comments about the value of Collaboration, Reasonableness and Prudence, Strategic Thinking, Disciplined

Culture, Stakeholder By-In, Leadership, Procurement, Work Force Strategy, and the Rationale for the use of cyber

resilience vs security1 within this document.

I. Collaboration How we get to the understanding of cyber resilience business value is critical. ‘Cyber resilience’ is an enabler of the

business to perform its mission. It needs to be coordinated with all business activities.

Because of rapid changes in competitive markets and cyber threats we must take advantage of coordinated enterprise

strategic thinking, change culture, and continual improvement through this internal and external collaboration.

Taxpayers are demanding the public sector to be more prudent with their limited resources. The public sector will be able

to benefit from participating in private sector led collaboration.

“Cyber resilience and business value cannot be separated. Cyber resilience must be tightly coupled with and

support business value. Measurable ‘reasonable’ and ‘prudent’ approaches are found by including internal

and external collaboration in each organizations strategy in support of their missions.” Charlie Tupitza

Collaboration helps us utilized shared lessons learned and best practices in the context of our own business environment

and helps us determine “Reasonable and Prudent” approaches. We need a holistic view and representation of the

business to accomplish this.

cc: Mr. Tony Scott

Chief Information Officer

Office of Management and Budget

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500


II. Understanding Reasonable and Prudent Approaches ‘Reasonable and prudent cyber resilience’ must support business excellence throughout our organizations, the supply

chain, and all customers and potential customers. We must take advantage of lessons learned and best practices

identified during internal and external collaboration.

Disciplined “change management and continual improvement culture” must be associated with these activities.

Regulators look for ‘Reasonable” efforts to cyber resilience. Taxpayers and Stockholders demand “prudent” use of

resources, Customers recognize business value. We must take advantage of taxpayer and private investments in people,

processes, and technology. We have had discussions with ‘cybersecurity’ teams of major public and private organizations

that do not know or have little communication with the business side of their organization or customers or partners. This

is not reasonable behavior. They all need to be involved in collaboration early, in the strategy phase and beyond.

III. The Importance of Strategic Thinking Business excellence with cyber resilience requires full organizational representation at the table while strategizing.

Shifting the thought of cyber resilience to the “strategy phase” ahead of “design” for all products and services helps us

identify how cyber resilience enables organizations to provide excellence in service to their own organization and to their

customers. This discipline makes it easier for all stakeholders to understand the value and their role in support of it as

leaders.

It will be easier to justify requests for the necessary cyber resilience resources in support of our mission when we

understand and articulate reasonable and prudent approaches by having full representation during strategic thinking.

IV. Disciplined Continual Improvement Culture Supporting Change and Readiness Perpetual business excellence requires an effective change management culture supporting continual improvement

throughout the life-cycle of our products and services. Cyber resilience or business excellence cannot be a destination. .

We must approach this at our own pace or battle rhythm and do things that will help us enable a faster pace.

‘Organizational readiness/resilience’ amidst continual change in the competitive, threat, regulatory landscape, and

employees is not an option.

Organizations with a culture of change and continual improvement will have an easier time. Organizations with

disciplined approaches in the development of products and services will move at a more effective pace. Many senior

leaders in both private and public organizations demand disciplined approaches.

Stock holders, insurance companies, tax payers, auditors, and lawyers are happier when they see discipline. Without this

discipline, it is difficult to manage and model desired behavior as leaders.

How is change managed?

People tasked with managing change must have clout to make change. Business and IT controls to make sure

resilience is considered and required for every request for change. This is tough in many sectors because they see

themselves as technology companies. The industry needs to recognize Business and IT as collaborative partners.

The industry cannot rely on technology and must recognize the important role of people.

How are suggestions for improvements recognized and managed?

V. Buy-in from Stakeholders Stakeholders must understand the cyber resilience business value to them and their customers. This understanding must

flow through to how the organization markets itself, its products and services. This is a competitive advantage when the

customer validates its value. For this to happen we need to figure out how to engage our customers in collaboration and

clearly articulate this value to them.


VI. Leadership Leaders need to clearly understand their role in supporting cyber resilience and business value. Fortunately, there are

plenty of good examples we can take advantage of so we can model future behavior. We need to share these examples.

We tend to focus on the negative examples and need to recognize the positive ones.

Demonstration of commitment and support from the CEO is needed for all governance and policy activity aligned with the

organizations overall cyber resilience considerations and mission.

All activities must be in support of business objectives valuable to current and potential customers. There must be a

continual improvement life-cycle associated with all activities.

How do stakeholders in your organization tell the CEO what you need? The CEO needs you.

Putting on the CEO hat:

o I don’t get it. It’s complex, I hate not getting this. o Simplify this complexity to support conversations between me and others in the organization o My attention span is short, Get points across quickly and clearly.

VII. Work Force Development and Retention Strategy To have a reasonable approach to cyber resilience organizations must have a way to evaluate skills and skill gaps for each

role in the organization. This is directly related to a culture of change management and continual improvement. As the

business climate and threats change, as new products and services are considered the organization must know if they are

ready and if not they need to understand the skills gaps to be ready by training up existing employees and hiring new

ones. These are artifacts of interest to the cyber insurance industry and potential business partners.

What is your work force development and retention strategy to address cyber resilience?

What standards best practices and frameworks are you using? For example, the National Initiative for

Cybersecurity Education (NICE)?

What is the right education needed to keep employees, partners, and customers aware of current and evolving

threats and business value?

VIII. Procurement Responsibilities Key positions in the procurement process need awareness training. People, especially program and project managers have responsibilities regarding cyber resilience before making requests to the procurement process. Best practices associated with responsibilities and training needed for all roles is critical for success. Coordination of activities is important by program and project managers.

Who has what responsibility regarding cyber resilience within your procurement process?

How are people within your procurement process made aware of cyber resilient requirements?

Does the procurement office participate in collaborative activities within the strategy phase for the development of products and services?


Low Hanging Fruit, Moving Forward Taking Advantage of Taxpayer and Private Sector Investments in Common Approaches As we look for ways to move large business segments and influence others we need to look to both private and public

organizations across critical and noncritical sectors to identify where common work culture, and the use of common best

practices, lessons learned and standards exists. There is great value in taking advantage of these existing investments in

people, processes, and technology along with a common lexicon present.

An example of a common disciplined approach of IT Service Management which can support cyber resilience is the

Department of Defense Enterprise Service Management Framework (DESMF) which the DoD CIO Mr. Terry Halvorson

directed the DoD to conform to 24 Dec 2015. This pulls together many best practices and standards which with some

work could be improved with cyber resilience underpinned by its processes. Most federal IT service contracts call out for

much of what is in this framework. Many private sector organizations internationally call out for the best practices and

standards within the framework. Many of our citizens are certified and have job experience in this domain. These align

nicely with the Baldrige focus on cyber excellence and business value.

There is a common thread from the DoD to the outside. Organizations utilizing much of what is called out in the DESMF,

like Disney, are all about serving the customer, keeping them secure, and earning value to the stockholders. It is called

something different outside the DoD but they share common best practices and lexicons. Our collaborative sessions

including the DoD, contractors, other public organizations, as well as telecom, healthcare, finance, and other sectors

clearly demonstrate the value of taking advantage of this common thread to share lessons learned.

The Latent Function of Taking Advantage of Common Investments and Approaches We are not in this alone. Taking advantage of any common foundation like the example above will lead to motivate

innovation as smart people and organizations will see a homogeneous market for their products and services.

Foundation of Common Thread Across Private and Public Organizations As our forum participants focus on the common threads across all organizations they will be able to add greater value.

We will stay at this level which will aid private and public organizations of all sizes to understand how to take advantage

of cyber resilience in the provision of excellent products and services. We look forward to move this discussion forward.

With the focus of underpinning excellent products and services taxpayers and consumers can expect improvement. Those

following this work will be more competitive in the market place creating new job and securing existing ones. The

government will be able to better serve its citizens.

Summary for value of Collaboration Reasonable and Prudent approaches to cyber resilience, identifying the bar.

Business Value of Cyber Resilience articulated as your advantage, raising the bar.

Excellent Products and Services with customer and mission focus.

Self-Regulation through the demonstration of effective (measurable) policy and governance.

We are excited to take advantage of the Baldrige values of excellence especially when applied to cyber resilience

underpinning excellent products and services.

Sincerely,

Charles William Tupitza

Chief Executive Officer

The Global Forum for Advanced Cyber Resilience

202 839-5563

[email protected]

mailto:[email protected]


Comments of the Forum are highlighted below in yellow. By no means does this represent all things to consider. We need to start somewhere and our future collaborative sessions will contribute more input. This must be a living and continually improving approach to be effective.

Leadership: (1) How do your leaders’ actions demonstrate their commitment to CYBER RESILIENCE?

a) How do they know how to act? How do they receive guidance?

b) What PROCESS is in place to assure they are sending effective messaging to the company and CUSTOMERS?

(2) How do your leaders deploy the organization’s mission, vision, and values to the WORKFORCE to KEY SUPPLIERS

and PARTNERS, and to KEY CUSTOMERS and other STAKEHOLDERS, as appropriate?

a. How does the message of good cyber practice align and support this?

b. What does good look like?

c. Who is involved with collaboration and how?

(3) How do your leaders’ actions demonstrate their commitment to legal and ethical behavior?

a. How do they know the legal behavior to exhibit?

b. How are they held accountable?

c. How can they be protected from activities of those in the organization acting outside policy and reasonable

behavior?

(4) How do your leaders’ actions build CYBER RESILIENCE policies and operations that are successful now and in the

future?

a. How is success measured?

b. Who is involved with collaborating about this?

(5) How do your leaders communicate with and engage other organizational leaders, the WORKFORCE, and KEY

CUSTOMERS and STAKEHOLDERS regarding CYBER RESILIENCE?

a. How do they collaborate internally and externally to understand reasonable and prudent behavior across all

divisions of your organization?

(6) How do your leaders create a focus on action that will achieve the organization’s CYBER RESILIENCE OBJECTIVES in

alignment with its mission?

a. How do they collaborate internally and externally to understand reasonable and prudent behavior?

Governance and Social Responsibilities

(1) How does your organization ensure responsible governance of its CYBER RESILIENCE policies and operations?

(2) How do you address legal, regulatory, and community concerns with your CYBER RESILIENCE-related policies and

operations?

a. Do you actively collaborate internally and externally about this?

(3) How do you promote and ensure ethical behavior in all CYBER RESILIENCE -related interactions?

(4) How do you actively support and strengthen the CYBER RESILIENCE infrastructure of your KEY communities?

a. Do you share threat data?

b. Do you participate in collaborative events reviewing and improving Best practices and lessons learned?


Strategy:

Strategy Development

(1) How do you conduct your CYBER RESILIENCE STRATEGIC planning?

Provide artifacts of a disciplined approach.

What are the high-level objectives of cyber resilience within the organization?

What is the right balance between prevent, detect, and correct for this organization?

What are the most important strategic assets of the organization?

o What is the value to all stakeholders including customers, partners, and regulators? Define value.

How should organizational assets be classified, and who should do this?

o What is the willingness to accept, avoid, transfer, and or share each risk?

o How is it articulated?

What are the high-level security responsibilities of each group or team within the organization?

How should risks be assessed and managed, and who should be doing this?

(2) How do you ensure ALIGNMENT between your CYBER RESILIENCE STRATEGIC planning and your organization’s

overall STRATEGIC planning?

(3) How does your CYBER RESILIENCE strategy development PROCESS stimulate and incorporate innovation?

a. How does this enable you to do more, i.e. provide a better service for the customer?

(4) How do you collect and analyze relevant data and develop information for your CYBER RESILIENCE STRATEGIC

planning PROCESS?

a. How do you determine the base line and show Continual Improvement from strategy through Design,

Transition, and Operation?

(5) How do you decide which KEY CYBER RESILIENCE PROCESSES will be accomplished by your WORKFORCE and which

by external SUPPLIERS and PARTNERS?

a. Do you know who knows what? Do you understand the gap? Do you know how to train up existing

staff?

(6) What are your organization’s KEY CYBER RESILIENCE STRATEGIC OBJECTIVES and timetable for achieving them?

a. What does success (good) and progress (improvement) look like?

(7) How do your organization’s KEY CYBER RESILIENCE STRATEGIC OBJECTIVES relate to your organization’s overall

STRATEGIC OBJECTIVES?

a. How do you determine Reasonableness, Prudence, and Effectiveness?

(8) How do your CYBER RESILIENCE STRATEGIC OBJECTIVES achieve appropriate balance among varying and

potentially competing organizational needs, including the balance between CUSTOMER and STAKEHOLDER

requirements and business OBJECTIVES?

a. How are Cyber requirements articulated to the C suite?

(9) How is effective of Change Management culture in your organization?

a. Are Cyber Resilience considerations included with all changes?

(10) How do you utilize Continual Service Improvement associated with cyber resilience?

a. Who owns this process?


Strategy Implementation:

(1) What are your KEY short- and longer-term CYBER RESILIENCE ACTION PLANS?

(2) How do you DEPLOY your CYBER RESILIENCE ACTION PLANS?

a. How is success measured?

b. How do you identify improvements needed?

(3) What are your KEY WORKFORCE plans to support your short- and longer-term CYBER RESILIENCE STRATEGIC

OBJECTIVES and ACTION PLANS?

a. Who is involved with internal and external collaboration?

b. What best practices, standards, and lessons learned are you following?

(4) What KEY PERFORMANCE MEASURES or INDICATORS do you use to track the achievement and EFFECTIVENESS of

your CYBER RESILIENCE ACTION PLANS?

a. Are they consistent across your organization?

b. Do you have a way to determine how you are doing against others in your sector?

(5) For these KEY PERFORMANCE MEASURES or INDICATORS, what are your PERFORMANCE PROJECTIONS for your

short- and longer-term planning horizons?

(6) How do you establish and implement modified CYBER RESILIENCE ACTION PLANS if circumstances require a shift in

plans and rapid execution of new plans?

1. Rationalization for use of ‘Cyber Resilience’ instead of ‘Cyber Security’ in this document When we use the term “cyber-security” thoughts are almost always centered on prevention and technology. This is

reinforced by articles like the Wall Street Journal article on Jan 18, 2016 titled: “How to Improve Cybersecurity? Just

Eliminate the Human Factor.” This is misleading and dangerous. Security alone is not a preventative; it is a delaying tactic

to keep “them” out long enough so when they get in, whatever you are trying to protect is no longer sensitive, and if they

are already in processes are in place to minimize the effect of the event(s).

Resilience has a different connotation including the ability to respond and recover quickly or easily from some set of

events or exposures. Cyber-resilience includes the life cycles reactions to prevent what you can, detect what can’t be

prevented, correct, and learn from the situation.

While some do include aspects of resilience in their approach to cyber-security, it is not a standard reaction. Without this

you do not have a reasonable approach. Cyber-resilience connotes a broader response utilizing technology and people

including “See something, say something.” Please consider changing references of cyber security to cyber-resilience

unless the intent is to focus purely and exclusively on technology and prevention.

In closing if you google “Cyber Security Summit” in quotes you will see 180,000+ mentions. Now Google “Cyber Resilience Business Value” you will get 8 results. (then read our footer)

role to advance cyber resilience in support of business ... › sites › insidecybersecurity.com...

Documents