University of Wisconsin–Madison
laptop and confetti

New Year’s Resolutions

The CISO’s Perspective — January 2019


Most people make some form of a New Year’s resolution — even if it’s just to say they will not make a resolution (again) this year. 

What we are talking about here is making a commitment. Promises to ourselves and others that we will do something important, achieve a goal, make a lifestyle change for the better, or make any form of change that matters.   

As I ponder what mine will be for 2019, the “usual suspects” are there — lose weight, take better notes in meetings, be nice to strangers, and then there’s those dance lessons… 

Let’s Get Serious! 

In the coming year, I hereby resolve to motivate our cybersecurity professionals to elevate our level of expertise and performance. My goal is to have our cybersecurity program elevated to what the National Institute for Standards and Technology’s Cybersecurity Framework calls adaptive.

Sooooo, what exactly does that mean? 

In the NIST Cybersecurity Framework, there are four “tiers” which provide context on how an organization like UW–‍Madison can view cybersecurity risk and the processes in place to manage that risk. As shown in the table below, those tiers define the increasing rigor and sophistication needed to effectively manage cybersecurity risk based on existing business, academic, and research information technology and data needs. It is up to all of us to determine the desired tier that aligns with our goals, is feasible to implement, and reduces cybersecurity risk. 

Tier Attribute Characteristics
4

Adaptive

Risk Management Process  
  • Adapts cybersecurity practices based on lessons learned and predictive indicators from previous and current cybersecurity activities.  
  • Continuously improves using advanced cybersecurity technologies and practices. 
  • Adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.  
Integrated Risk Management Program  
  • Uses a common organization-wide approach to managing cybersecurity risk.   
  • Uses risk-informed policies, processes, and procedures to address potential cybersecurity events.  
  • Cybersecurity risk management evolves from a cultural awareness of previous activities, using intelligence shared from many sources, with continuous awareness of activities on their systems and networks.  
External Participation
  • Manages risk and actively shares information with partners to ensure accurate and current information is used to improve cybersecurity before a cybersecurity event occurs.
3 Repeatable
Risk Management Process  
  • Risk management practices are formally approved and expressed as policy.  
  • Cybersecurity practices are regularly updated based on risk management processes and changes in academic, research, or business requirements.  
  • Maintains pace with the changing threat and technology landscape. 
Integrated Risk Management Program  
  • Organization-wide approaches are used to manage cybersecurity risk.
  • Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed.  
  • Consistent response is provided to changes in risk. 
  • People have the knowledge and skills to perform. 
External Participation  
  • Everyone understands their diverse dependencies and shares information with partners that enables collaboration and risk-based management decisions in response to events.
2 Risk-informed
Risk Management Process  
  • Risk management practices are approved by managers but may not be organizational-wide policy.  

  • Priority of cybersecurity activities considers organizational risk objectives; the threat environment; or the academic, research or business requirements. 

Integrated Risk Management Program  
  • Awareness of cybersecurity risk at the unit level but a broader approach to managing cybersecurity risk has not been established.  
  • Resources are adequate to perform risk-informed, management-approved processes and procedures.  
  • Cybersecurity information is shared within the organization on an informal basis. 
External Participation
  • We know our role in the larger ecosystem, but lack formalized capabilities to interact and share information externally.
1 Partial
Risk Management Process  
  • Organizational cybersecurity risk management practices are not formalized. 
  • Risk is managed in an ad hoc and sometimes reactive manner.  
  • Cybersecurity priorities and activities may not align to organizational risk objectives or the threat environment; or to the academic, research or business requirements. 
Integrated Risk Management Program  
  • Limited awareness of cybersecurity risk at the organizational level without an approach to managing cybersecurity risk.  
  • Cybersecurity risk management is irregular and on a case-by-case basis. 
  • Experience is varied and information gained from outside sources is inconsistent.  
  • May not have processes that enable cybersecurity information to be shared internally. 
External Participation 
  • May not have the processes in place to coordinate or collaborate with other entities.

How far from the target are we? 

We were evaluated in January 2018 as being at the Risk Informed and Repeatable Tiers across the spectrum of our cybersecurity activities. This evaluation includes our desired outcomes, and our ability to meet the applicable doctrines, policies and standards that are common across most higher education activities.  

As shown below, the scope of that evaluation consisted of five concurrent and continuous cybersecurity lifecycle functions; Identify, Protect, Detect, Respond, and Recover. When these functions are considered together, this lifecycle provides a high-level, strategic view of how we manage cybersecurity risk. Within each function, our “scorecard” showed varying degrees of coverage in our ability to meet the requirements of the graded tier.

Current tier coverages and targets

How do we get from here to there? 

No doubt there will be a significant effort to get to Tier 4 – Adaptive. Much of the effort is already underway through various activities like the UW System Administration’s Two-Year Work Plan; implementing 17 new Cybersecurity Initiatives; processing the outcome of the UW System Administration’s current System Security and Access Audit; implementing the Endpoint Management and Security tools currently out for proposals; and the daily work performed by distributed IT teams and the Office of Cybersecurity. 

Stay tuned as we work through the next month or so to layout a detailed strategy called “Getting to Tier 4.”  

Be resilient! Things will happen along the way. As I remember reading from a Dr. Seuss book, “From there to here, from here to there, funny things are everywhere!”  

Keep in mind, I am resolved to motivate our cybersecurity professionals to continue to elevate our performance and level of expertise. Join me! 

(Cue the music as the crowd runs off toward the sunset…) 
 
As always, I appreciate your feedback. Simple rules — be nice, be fair and be honest. Please e-mail your thoughts to cybersecurity@cio.wisc.edu and we will periodically post them with helpful answers. 

—Bob Turner, UW–‍Madison Chief Information Security Officer