Blog Post

CRQ Journey Part 1: The Problem With Standalone Cyber Frameworks

December 13, 2023

Table of Contents

As one of the youngest global industries, cybersecurity presents many challenges. It's a complex sector with many components to master. Security leaders find fortifying an organization's security measures tough. This obstacle is made even greater by the quickly evolving threat landscape. Another tricky hurdle is communicating and justifying their actions to the boardroom. 

During my time at Avid, I often faced the ladder challenge. Avid is a software company offering media creators easy-to-use digital solutions. Despite implementing a mature cyber risk management program, the boardroom was still hard to prepare for. These experienced corporate business leaders didn't have the experience that would generate context for my summaries or requests. They understood the importance but didn't have the value context of having strong cybersecurity measures. 

After getting through yet another difficult board meeting preparation cycle, I decided to explore financial cyber risk quantification tools. I wanted to know how quantification could help me in the boardroom. Almost immediately, I realized this type of solution would solve my communication issues. It would equip me with the leverage I needed to justify my team's activities and prove their worth. 

The following story is our journey to implementing cyber risk quantification to bridge the all-too-well-known gap between the hard work of the security team and the boardroom. 

Chapter 1: No Means of Justification

When I first started at Avid, I tried to do everything a security leader should do. We assessed the organization's system vulnerabilities from varying vantage points, created educational materials for employees, and established awareness training sessions to ensure everyone followed the best security practices. 

However, upper management was always reluctant to approve new budget requests. They needed value context to understand the necessity of new initiatives and programs. Something that would describe the value cybersecurity brings. When I tried explaining my reasoning, it usually resulted in confusion. Although I technically spoke the right words, they could not understand in a way that made sense to them.

I realized that our primary obstacle would not be securing Avid, but rather, it would be justifying our spending requests. Thanks to my previous experience, I could show security gaps within the organization and explain that if a particular cyber event occurred, a corresponding business area would suffer. Unfortunately, we couldn't translate these vulnerabilities into monetary value. 

It was a frustrating situation for everyone to be in. 

Chapter 2: The Trouble With Available Assessment Frameworks

Personal and professional goals must be measurable to understand when success is achieved. In industries like insurance and medicine, these measurements are clearly defined. There is a way for experts to know whether a goal was reached and to what effect. 

The cyber security industry is much younger, and during its short existence, some global bodies have tried creating measurement frameworks, such as ISO, NIST, and CIS. Each of these assessment rubrics offers unique standards for proper security protocols. 

Starting With CIS

To offer my team a way to assess their efforts, I chose the SANS Top 20 CIS controls. (This control framework has since decreased to 18 controls.) CIS was very descriptive and technically detailed for my team to check themselves against. It provided a way for us to find security gaps and create action plans for tighter practices. 

CIS framework was excellent for internal assessment. Unfortunately, it was terrible to use for explaining to people who don't have technical experience. In the boardroom, CISOs have limited time for our presentations. If we're busy explaining technical terms, it leaves room for little else. I had no time to present my department's past achievements and upcoming aspirations. 

Indeed, I spent that precious time clarifying what maturity levels are and what they meant in the context of Avid, but that was still too much technical data. Back to the drawing board, we went. 

Trying NIST

Undeterred, I started searching for another solution.  We needed a framework that would be easier to translate into business terms, and the NIST CyberSecurity Framework (CSF) proved to be a worthy candidate. This framework offers organizations guidelines for managing and improving cybersecurity practices, gives a blueprint for robust risk management and threat mitigation measures, and, best of all, NIST describes things at a level high enough for upper management. 

Nonetheless, there was a bit of overlap between the CIS and NIST frameworks. They both described an organization's maturity in security controls. So, in the end, despite a little overlap, we started using CIS for internal technical guidance and NIST for stakeholder communication. 

Security Frameworks: What Do They Really Measure?

An example of a Capability Maturity Model Integration (CMM) process measuring rubric.
An example of a Capability Maturity Model Integration (CMM) process measuring rubric. Source: Research Gate.

CIS and NIST CSF are two of the most common security standards with the benefit of being able to measure process maturity based on the Capability Maturity Model Integration (CMMI). The CMMI was first used in the software industry in 2000. 

  • Level 1: Initial

At this stage, there are no processes in place, and “heroic” efforts are needed to solve issues, resulting in a massive waste of resources for the most preventable attacks.

  • Level 2: Managed

Organizations have started to implement basic management processes that are defined and documented. However, some procedures still may be reactive rather than proactive.

  • Level 3: Defined

This level indicates that the company has well-defined, standardized processes that focus on proactive management. 

  • Level 4: Quantitatively Managed

The organization The organization focuses on measuring and quantitatively managing its processes. Metrics are used to understand performance. 

  • Level 5: Optimizing

At the highest stage, organizations continuously improve upon their processes based on quantitative feedback. 

As teams start to improve their processes and cybersecurity policies, they can advance to the next level in the model. So, I leveraged the NIST framework at Avid to inform the team what to measure. I then used the CMMI levels as the measurement scale. 

I told my board we aimed to reach Level 4, Quantitative Management, and stay there. Anything above that is too expensive. Level 5 is usually reserved for highly mature organizations in cybersecurity. Only military offices and places with near-unlimited resources reach that level. 

Still Not Enough

With the NIST security framework and CMMI combined, I felt prepared. I believed I could finally explain my team's cybersecurity maturity to the board. We could provide the numbers demonstrating the cyber team's program improvement and maturation. The numbers would allow us to plan ahead and explain the projected timeline to reach new levels.

Unfortunately, it still wasn't enough for the board. 

True, the framework demonstrated progress. Yet, it was very subjective for an audience accustomed to facts and figures. The board and executive team operate in money and numbers. But my team couldn't converse in that language. Without the common vernacular, explaining what the security team did and why we did it was almost impossible.

Chapter 3: The Tipping Point

At this point, I didn’t know what else to do. I needed to translate my team’s accomplishments into a language the board could understand. But the tool I was looking for did not seem to exist. It felt like I was living in a modern-day Babel. I had the expertise to build the cybersecurity tower. I simply could not articulate my methodological motivations. 

I had reached the moment when many CISOs accepted defeat. CISOs across all industries face the moment and decide to turn back. But I refused, deciding instead to head into the unknown. Part 2 of my journey to CRQ reveals the moment I finally discovered a solution to my problems. At last, I discovered the necessary power to speak to the cybersecurity budget approvers.

If you're interested in listening to the rest of my story rather than reading it, check out the webinar!

To learn more about the transformative power of CRQ, book your free demo with Kovrr today.

Dmitriy Sokolovskiy

Kovrr Advisory Board

No items found.
Industry Recognition