CMMC and other Security Frameworks
Posted on March 16, 2020 by Christopher Bukowski
A Strategic Value to Your Company’s Bottom Line
All too often cybersecurity professionals find themselves in a position where they have to justify the internal implementation of industry standards, including appropriate security processes and procedures. Far too often, those having risk management and cybersecurity responsibilities, and are implementing additional steps for compliance with specific laws and/or best practices to give their organizations a better overall security posture, are confronted with complaints and push-back. This push-back can come from several different departments including their IT counterparts and even C-suite executives. The complaints regarding these additional risk management precautions can cover a spectrum of topics, but typically are reduced down to being an additional burden on time, cost, resources (e.g., personnel, tools, etc.) or, more often than not, some combination of these.
In a certain respect, who can blame them if they don’t really see the value that risk management and cybersecurity professionals bring to the table. In the absence of the realization of their true value, they become an additional burden, another obstacle to overcome in order to complete a job; they are seen as a drain on time, cost and other resources such as personnel, equipment, etc.
In today’s world, more times than not, a company’s information is a highly valued asset, if not its highest valued asset. Whether it is proprietary information (that which could otherwise be patented or copyrighted, proprietary processes, customer lists) or other’s sensitive information (such as a client’s, vendor’s, employee’s, and the like), it represents a major value to the organization and its customers and employees. Some of this information, such as financial, medical, educational or otherwise private information, could have a heightened level of sensitively as well.
Herein lies the importance of reminding these other professionals and even executives that we are all on the same team.
Cybersecurity professionals are implementing the necessary safeguards to set reasonable protections for what these departments often value most, the sensitive information which it retains, and shielding the overall company from unnecessary risk.
Information technology, including computer systems, networks, wifi, Bluetooth, and the web, etc. is, in many respects, much like the wild west – lawless – or at least in large part without consequence. The modern era has traded in its bank robbers and cattle thief’s for hackers and social engineering criminals attempting to steal, digitally, things of value mainly in the form of some type of sensitive information.
This is what must be explained to and understood by corporate leaders and those in other departments when they consider cybersecurity and those implementing it as an unnecessary nuisance. What they are missing is that the risk management professional is most likely saving them time, money and resources by avoiding the inevitable breaches that would almost certainly occur if they were not there. A breach could cost a department, and even the company as a whole, exponentially more in time and money and resources, not to mention PR, if and when it occurs.
Having a good security posture is tantamount to locking the front door of your house or your car and setting the alarm, or locking your safe, or a bank locking its vault with valuables in it and posting a guard on watch. It just makes sense; you wouldn’t leave your home with the door wide open and valuables displayed, would you? You may not be robbed that day, but if you continued to do it you most certainly would eventually be relieved of those possessions that aren’t secured.
Now imagine you not only have your possessions to protect, but also others who are paying you for a service that requires your retention of their possessions. They are trusting you to ensure the well-being of those items. If your own possessions are stolen it is bad enough, but if those of others are too; now not only have you lost yours, but you are liable to those other people whose possessions you held. You likely have also lost their trust and the good faith of the local community in protecting their valuables as well. Their valuables in this scenario are analogous to people’s sensitive information that are held by an organization. In today’s world, most companies hold, in some form or another, other’s sensitive information, whether it be financial information, health information, educational information, credit card information, proprietary information and the list can go on.
What if the bank were to leave its vault open, unprotected and in plain view with your most valued possessions in it? No doubt you’d be upset and for good reason. Furthermore, there is little doubt that bank would be liable to you if your valuables were to be compromised as well as statutory fines for the gross negligence.
With this in mind, in the last few decades, laws have been implemented to help protect these types of sensitive data and liability, in the form of penalties assigned to those who don’t take the necessary precautions to protect it.
The security posture implemented by the cybersecurity and risk management professional will substantially decrease the odds of a compromise and help protect from any breaches that could otherwise occur. In the event that a breach does occur, this security posture, confirmed by a third non-interested party, in tandem with an audit, may help curb an organizations liability.
Risk management and cybersecurity are in the best interest of the diverse departments within a company, the executives that manage the company, and the organization as a whole. Executives are bound by the fiduciary duties of care and loyalty to the company and ultimately its shareholders. For these purposes, the fiduciary duty of care is of most concern.
The fiduciary duty of care essentially implements the prudent person rule, which, in a nutshell, states that the directors and officers must act as a prudent person would in performing their duties in the management of the organization. This would also include acting in good faith and, in a reasonable manner with the best interest of the company in mind, making informed decision and doing due diligence in the management and decision making of the organization.
Furthermore, directors and executives are typically protected from liability by the business judgement rule which, simply put, presumes that the management of the company is being done in good faith with the best interest of the company and its shareholders in mind. This would include acting reasonably, prudently and with due diligence while ensuring that the decisions being made are informed ones, to the extent executives reasonably believe they need to be. This allows directors to make business decisions without having to worry about liability with each decision made, even if those decisions, in retrospect, end up being bad decisions.
A simple example would be a scenario involving an executive and an important business meeting. If the executive were simply lazy and missed the meeting because he/she decided to sleep in, that would most likely be a breach of his/her fiduciary duty of care. It violates the prudent person rule, since a prudent person, short of some other legitimate higher priority conflict, would have been present at the meeting. However, if we take the same scenario, but the executive is present at the meeting and subsequently makes a horrible business decision based on the information he/she learned from the meeting and believing they had been informed well enough to make the decision, (and with the assumption they are acting in good faith), they would be protected by the business judgment rule, even though the poor business decision may have severe and unwanted consequences.
Applying these rules to the modern corporate cyber world, where regulations exist protecting specific types of information in almost every major industry, and the efforts made by cyber adversaries are ever increasing and their techniques constantly becoming more sophisticated, it is within an organization and management teams best interest to take reasonable measures to learn about and implement security controls that meet necessary compliance benchmarks.
Fortunately, there are industry standards in place to help provide a blueprint for companies to set up and maintain their security posture. Some of these frameworks are mandatory and required by law, while others are not. For those that are mandatory there is an additional level of liability inherent by not adhering to the framework. These frameworks range from very specific defense and government related frameworks, such as RMF (NIST SP 800-53), NIST SP 800-171, and the CMMC to those more industry specific, such as ISO, PCI-DSS, CIS, health industry frameworks, financial industry frameworks, educational industry frameworks, and on and on.
Given the modern trend of data breaches along with the ease of access to these security and compliance frameworks, an organization may be hard pressed in showing due diligence and consequently due care for these types of concerns and threats if it neglects them and a breach occurs. However, if a company can show that it had a security posture in line with industry standards and requirements at the time of the breach, the company may very well be able to avoid some, or even all, of the liability for the breach.
However, even if an organization is not bound by law or industry standard, they ought to implement these security procedures and best practices. Not only is it good business practice, but it is also well within the duty of care owed to the organization and ethical obligation owed to those who’s sensitive information the company holds.
In the end, the relatively little amount of time, money and resources required to implement the basic requirements may pale in comparison to the loss, liability, and bad PR that would come with a breach.
It is also in the organizations best interest to have their security posture reviewed, tested and confirmed by a non-interested third party. Whether the company has an internal or external cybersecurity team setting up its security posture, they will want to confirm that reasonable measures are in place and effective. It may seem sufficient for the internal team to confirm their own work, but there is an inherent conflict of interest in doing so. They’d effectively be grading their own homework, and who would not at least be inclined to grade themselves less critically then an objective third party. Furthermore, the objective third party might implement different means and methods for testing the security posture, as well as providing an inherent expertise in the particular type of assessment required.
Not only can an objective third party consultant confirm the security posture, potentially providing an additional barrier from liability, but they can also assist in remediating any gaps found. Furthermore, these experts can implement different means and techniques generally not available to or within the expertise of the internal/external cybersecurity team. This can include the typical review of technical, management and physical controls and the scanning of systems as well as penetration testing, threat hunting, social engineering tactics, etc. to really validate the security of an organization.
Given this, it is within an organization’s best interest to create and maintain a security program and posture appropriate for the sensitivity of information it holds. It is also within a company’s best interest to enlist an objective third party to assess the implementation, whether required by law or not. This can help protect their proprietary information and that of their customers, while also hedging against potential liability (whether penalties instituted by statue or customer claims) and negative PR. Having a good security posture adds a huge strategic value to the company that more than pays for itself.
Although management may view it as an additional burden and wasted time and money, the real value is in what it is protecting. If you can only see one side of the equation, you will never grasp the true value. To understand that value, an organization must calculate and consider the value of all the information they hold and the cost if that information were compromised. This may include the actual cost associated with proprietary information (e.g., coca cola’s formula), as well as a dollar value associated with the liability of a compromise of the private information held and belonging to others (e.g., what monetary sum might a party be awarded as a result of a suit brought against the firm due to a compromise of their personal information). It could also include cost of associated penalties related to any statutory and regulatory requirements for the information lost and the dollar value associated with the negative PR received in light of the compromise.
Add all of that up and there is the true value you are protecting by setting up and maintaining a good security posture. One might argue that the organization could subtract the actual cost of setting up the appropriate security program (time, money and resources), however, in the event of a breach the company would need to implement this security program and posture in addition to the added cost of cleaning up the mess left behind by the compromise, which may even cost more than if they had just set it up properly in the first place. Either way, whether the company sets up the security posture before a breach occurs or they are forced to subsequent to a breach, that cost will be incurred either way and so cancels out of the equation. The cost of setting up the appropriate security posture after a breach will likely be even more expensive precisely because it will involve inherent incident response and necessary remediation.
Therefore, not only does an appropriately developed, maintained, tested and certified security program and posture add real value to a company’s bottom line, it, in fact, may ensure that the company actually has a bottom line at all. It is in the company’s best interest to ensure its security posture is sufficiently set up and confirmed by a third party.