Cybersecurity Management

Program
whitepaper
Cybersecurity Managment Program
Many organization’s cybersecurity teams (or information succeed at this not because of industry pressure, but
security teams as they used to be known) continue because each aims to improve their organization. Having
to struggle to communicate cybersecurity issues to identified the opportunity, executives evaluate whether
senior leadership. Likewise, senior management also the initiative poses additional risks to their organizations
struggles to effectively articulate cybersecurity strategy and decide whether to accept this additional risk or not.
to technical cybersecurity personnel. It is as though two After accepting such risk, executive sponsors continue
parts of the same organization speak foreign languages to evaluate initiatives toward implementation. Even when
to one another, and each party has a very limited, or no, initiatives are operational, executives still employ strong
knowledge of the other party’s language. However, it does governance methods, including internal audit teams, to
not have to be like this. manage and monitor the effectiveness and efficiency of
these initiatives. This business approach has become
Failure to communicate issues is most often revealed in institutionalized across most enterprise units with the
grassroots cybersecurity initiatives that have evolved into exception of IT and cybersecurity. Key stakeholders
corporate cybersecurity programs. Typically, this resulted in IT and cybersecurity often claim that cybersecurity
from an enterprise in startup mode implementing solutions management programs are too technical, only internal
to address specific technical challenges. Unfortunately, facing, or too complex, to properly develop and
many organizations continue to employ a similar approach implement using this approach.
to secure much larger and more complex environments
against threats that outmatch the capabilities of their The truth is if these same IT and cybersecurity groups
original solutions. No longer simply a technical solution, adopted a common framework and designed their
cybersecurity management has become a business cybersecurity management programs based on said
function in today’s industry. As a business function, a framework, cybersecurity management would truly
greater level of integration with other business units become just a standard business function in their
requires a greater level of transparency and performance enterprises. Unfortunately, the cybersecurity world does
reporting. not agree on a standard cybersecurity framework across
all countries, industries, and states. Analysis of the
The evolution of grassroots cybersecurity programs rarely commonalities and differences between these standard
results in the kind of mature cybersecurity solutions that frameworks show that it is possible to create a universal
are aligned with, and address business needs. And why cybersecurity management framework to address all
should they? The initial programs were designed to solve countries, industries, and states. Such a framework is
technical challenges, such as preventing virus outbreak not firmly associated with any particular cybersecurity
or infection, stopping cyber attackers from compromising standard and can be adapted during implementation to
or stealing valuable information. Such initial cybersecurity address any specific security standard that organizations
efforts were neither designed as business functions nor using it wishes to follow. This paper introduces a
defined in business terms. cybersecurity management framework where it is
apparent that a successful approach is not too technical,
Key Success Factors addresses both internal and external concerns, and is not
overly complex to implement, operationalize, and manage
The following key success factors are common to many over the long term.
successful cybersecurity programs. The programs:

• Support and drive strong governance attitudes and

actions
• Are designed, developed, and implemented in a
similar way to other business functions
• Adopt a standard framework approach, usable for
an extended period of many years with little or no
changes to that framework
• Are measureable in terms of their effectiveness

Organizations and executives that drive successful

cybersecurity programs do so in the same manner
as other successful business initiatives. Executives

1 © 2017 Cisco and/or its a iliates. All rights reserved.

Cybersecurity Management Framework

The design of the Cisco cybersecurity management Although addressing cybersecurity challenges with just
framework (CMF) assumes three pillars is perfectly possible, adopting and using
cybersecurity management is a business function. it in that way is difficult and potentially open to error
or misinterpretation. To minimize these issues, these
macro-level pillars must be divided into more manageable
Analysis of the commonalities and differences between chunks. The Cisco CMF subdivides its three macro pillars
these standard frameworks show that it is possible to into seven discrete focus areas:
create a universal cybersecurity management framework
to address all countries, industries, and states. • Executive Management: Key decisions and
accountability required to drive the program
• IT Risk Management: Reducing risk exposure to
The framework, as a business function, is comprised of the organization to a level acceptable to the SLT and
three discrete pillars with each subsequent layer unfolding Board of Directors.
increasing levels of specificity as follows: • Cybersecurity Intelligence: Required to provide
the cybersecurity and IT teams with appropriate
The Executive Management (Strategy) Pillar directs information to achieve and surpass IT Risk
Governance and Planning initiatives that drive the Management goals.
framework forward to operation. • IT and Cybersecurity Assurance: Required to
• The Executive Management Pillar requires people provide evidence to management and especially
to identify why cybersecurity is needed, consider the SLT that their investments in cybersecurity are
the business issues, and then define, document, delivering the benefits they expected.
and publish the direction the required cybersecurity • Secure Network: Required to support secure, on
program will adopt. demand access to information to authorized personnel
no matter where it is located within, or external to, the
The Operations Pillar that defines what the organization.
cybersecurity program must address to comply with the • Secure Systems: Required to provide controlled
requirements specified in the strategy, what supporting access to applications, data and devices according
functions are needed, and what level of reporting/ to the identity of the requesting party. This focus area
governance monitoring should be provided. These also includes how data is protected, whether at rest,
needs are supported through the security intelligence, IT or in transit.
and Cybersecurity Assurance and IT Risk Management • Secure Applications: Required to control access to
operations sub-pillars. data and other networks, systems and applications
• The Operations Pillar requires definitions of according to the identity of the requesting party. For
documented operational standards, processes, internally developed applications, requirements extend
procedures, and other collateral that specify what to how the application was designed, developed and
operators should do and how they should do it. managed throughout the whole development lifecycle.

The Tactical (Technology) Pillar defines how required

cybersecurity controls mandated in the Operations While these seven focus areas provide increasing
and Executive Management pillars will be applied to granularity, the framework introduces an additional level of
the systems, networks and applications used by the subdivision to ensure practitioners can readily apply and
organization and how evidence will be provided to manage the CMF. In total, the CMF model is subdivided
management that the security controls implemented into 40 (forty) cybersecurity elements as shown in Figure
actually address the specific requirements and that they 1 on page three.
perform their job as expected.
• The security controls in the Tactical pillar, whether
requiring technology or not, are responsible for
securing all aspects of an enterprise computing
environment, continuously monitoring the environment
for security events, collecting and analyzing captured
events, and reporting defined security metrics, some
of which are provided to the SLT.

2 © 2017 Cisco and/or its a iliates. All rights reserved.

Figure 1: Cisco Cybersecurity Management Framework

Cybersecurity Management Framework consistency of approach and integration inherent to

Adoption and Usage framework. Though implementing such a framework may
consume more time and resources, it is important to
The Cisco CMF (figure 1) shows how an organization remember that achieving cybersecurity is not an endpoint,
should consider its own program. In a perfect, green- it’s a journey. So, too, is transitioning a grassroots,
field situation with little pressure to protect exposed tactically driven, approach to a business-focused
assets, an organization may not experience any difficulty cybersecurity program based on a formal cybersecurity
with implementing this framework. Unfortunately, few management framework.
organizations fit this reality and thus are not afforded
the luxury of green-field framework adoption. Existing As with all journeys, an organization must define a starting
organizations must continue to generate revenue to stat in point. This is the time at which executive management
business. realizes cybersecurity is not simply an IT function but
instead a business function employing controls (people,
It is possible to operate with an unstructured non- process, technology) to address specific security.
framework based approach, but as many have found out, Approaching security in this way guides leaders to
there is a significant chance that areas of concern will understand the logical next step is defining a security
be missed and that they will be ‘cracks’ in the security strategy. Moreover, it becomes clear that such a security
barriers erected that do permit compromises to occur, strategy is not defined by IT or the cybersecurity team,
and possible remain undetected and unresolved for but a strategy defined by management. Such a business
significant periods of time. management strategy clearly articulates a risk based
approach, one that all members of the SLT and the board
of directors (or equivalent) easily and readily understand.
Preferred Choice It is a strategy, defined by people, that informs an
organization that information is vital to the success of
The Cisco CMF, or any similar framework, supports the organization and mandates that protecting such
a holistic approach to cybersecurity, which most assets appropriately is not just a good idea, it is essential.
cybersecurity professionals recommend. An organization’s Protecting the organizations’ information assets is a
existing program, no matter its current state, can adopt responsibility everyone in the organization shares.
a cybersecurity management framework to benefit from

3 © 2017 Cisco and/or its a iliates. All rights reserved.

As the SLT defines the strategic way forward, support the governance necessary to effectively manage
stakeholders must evaluate and understand risks facing the Program.
the organization associated with compromise, loss, or
theft of information. The SLT has a responsibility to the Transforming an Existing Cybersecurity Program
organizations stakeholders to reduce risk to acceptable As stated earlier, achieving a specific cybersecurity
levels—or eliminate risk altogether. While it is possible for maturity level is a journey. When planning any journey, you
an organization to completely eliminate all risk, such an cannot proceed without identifying a starting point and an
organization would effectively cease business operations endpoint. Given these parameters, you then determine
because the cybersecurity protective controls applied a timeline between these two points and categorize
would likely prevent access to information or make it very constraining variables, if any, that can impact the journey.
difficult to consume. “Perfect” cybersecurity effectively Security policy, to a large degree, defines the endpoint
acts as a business disabler, not a business enabler. to the journey and protects the organization’s information
assets. The Policy should only contain ‘evergreen’
To enable and support an organization’s business statements that will not require changes due to timelines,
objectives and goals, a cybersecurity program must budgets, or other business variables as the approved
allow authorized users access to information. This means and endorsed Policy content should remain static and
organizational leadership must accept and manage risk require few, if any, changes. Each of these is a risk
concerning information compromise, loss, or theft. In that stakeholders must consider when developing their
short, the SLT must evaluate, understand, and accept organization’s cybersecurity program.
some amount of risk when users access information
assets. The question is, how much? Initially, IT and cybersecurity teams own responsibility
for reviewing existing cybersecurity standards and
Accepting risk may not be a path an SLT is comfortable processes. They are responsible for determination of
navigating. Typically, this is where an SLT might hand off whether documented requirements meet the spirit of
the problem to a corporate risk-management committee, the policy or need to be modified to do so. Following
or team, who, together with the chief information officer that, the stakeholders (IT, cybersecurity, and often
(CIO) or chief information security officer (CISO), define business unit owners of data and applications) meet
and agree on an overarching cybersecurity policy and with the risk committee, and/or steering committee, to
potentially a cybersecurity charter. These documents consider whether adoption of the proposed standards
articulate the general need for a risk-based cybersecurity and procedures will present unacceptable risk to the
management program (CMP), who or which teams are organization’s information assets or users. To provide
responsible for its definition, and which individuals and/or maximum ROI, stakeholders prioritize process and
teams have responsibility for supporting or taking actions procedure documentation (not accounted for during the
according to a charter, or policy, mandate. The highest assessment) during this time. Additionally, stakeholders
level of corporate leadership (chief executive officer (CEO) introduce supporting technologies, or updated tactical
or board of directors) must approve and endorse these configurations, that are needed to address specific
documents. Requirements specified in these documents cybersecurity concerns.
should be business relevant and only change as business
goals and objectives change. Organizations should always Some organizations may try to achieve a best-in-class
require a cybersecurity policy, but some CEOs prefer to level of cybersecurity by implementing the framework
endorse a cybersecurity charter that outlines the need for through a single-step transition (from their current level of
cybersecurity, but delegates responsibility and authority cybersecurity maturity). In all likelihood, this approach will
for definition of the policy that drives the CMP definition fail unless organizations have, for the most part, already
and operation. achieved their desired maturity levels. Without such
preexisting programs in place, transitions are typically
Program strategy is the starting point from which too burdensome and likely will result in a cybersecurity
an organization migrates its existing program to the program that does not satisfy SLT-defined requirements.
new program based on a cybersecurity management Prudent organizations should properly assess their
framework. It doesn’t matter what an organization’s cybersecurity program’s current status or maturity,
current level of sophistication is, or its complexity and subsequently use assessment results to define a
or maturity with regard to its security program. Any baseline position from which the organization is capable
organization is able to commit to a business-focused of executing incremental improvements over 2 to 5 years
cybersecurity program addressing SLT concerns as to reach an acceptable cybersecurity maturity level that is
mandated, endorsed, and expressly articulated in the similar to, or slightly ahead of, their peer organizations.
cybersecurity charter and policy. Together these elements

4 © 2017 Cisco and/or its a iliates. All rights reserved.

It is worth noting that any desire to reach optimal levels elements in their programs. Allocating such elements,
of cybersecurity concerning each element within the those not considered or implemented by an organization,
framework has the propensity to consume significant a zero value ensures that the mathematics behind the
resources, can result in exceedingly rising costs, and, model remain consistent and are not skewed by false level
as such, result in an unsatisfactory ROI. Setting and 1 maturity scores.
achieving lower but risk-acceptable levels of cybersecurity
maturity across the framework will result in compliance At a high level, the maturity definitions defined with the
with requirements in a much shorter timeframe, Cisco CMF are summarized in Figure 2
provide enhanced ROI, and strongly limit the window of
opportunity during which successful cyber attacks can
occur.

Cybersecurity Maturity

Any cybersecurity transformation process, such as

the one this paper describes, requires an organization
to measure and monitor improvement for a given
cybersecurity element in terms of its maturity level. The
authors of Cisco CMF adapted the Carnegie Mellon
University (CMU) Capability Maturity Model (CMM) to
better suit cybersecurity programs. CMU introduced its
CMM to drive improvements in software development The Cisco CMF uses predefined maturity-level
together with similar approaches documented by ISACA. requirements for each security element to objectively
In all cases, the term maturity refers to the degree of assess the sophistication or maturity of the
formality and optimization of processes from unplanned documented approach.
or initial practices to formally defined steps to managed
results metrics to active optimization of the processes
used during application and program development.
Every element in the Cisco CMF contains multiple sub-
The Cisco CMF uses predefined maturity-level elements, each of which receives a set of maturity
requirements for each security element to objectively definitions. As such, the CMF has a maturity-level
assess the sophistication or maturity of the documented definition library consisting of several hundred entries. In
approach. Each maturity level assigned to each element addition to the number of unique entries, cybersecurity
is a numeric value. Focus area maturity values are a elements often possess multiple interdependencies
combination of maturity values for element associated between one another. These resulting relationships drive
with a given focus area. Program stakeholders can then analysis of findings from a simple maturity assessment to
combine focus-area maturity scores to provide an overall one that takes into consideration these multidimensional
maturity score for the Cisco CMF layer and finally convey aspects. This approach also applies to development of
an overall cybersecurity program maturity level. recommendations necessary to improve maturity of a
given cybersecurity element.
In practice, the authors of the Cisco CMF have
experienced that most organizations using this approach
usually ignore layer-level and total program-maturity
scores and concentrate solely on the focus area and
individual cybersecurity element maturity scores.
This is most likely because responsibility for specific
cybersecurity elements or focus areas is far easier and
more effective to delegate and manage than it is for a
layer of the model or indeed the whole model.

Although the CMU and ISACA CMM maturity descriptions

consist of five levels, the authors here found it essential
to add a sixth level applicable to the cybersecurity world.
This was necessary because some countries, industries,
and organizations do not include certain cybersecurity

5 © 2017 Cisco and/or its a iliates. All rights reserved.

Successful CMP Development: 10. Dedicate time and effort to develop consistent,
Ten Key Success Factors congruent and easily understood documentation that
clearly describes the what, why, when, where, how,
Organizations should not underestimate the difficulty and who is responsible for every action required by the
of developing and implementing a cybersecurity program.
management program (CMP). The introduction of a
CMP affects virtually every individual or group in an You should notice that just applying these 10 key
organization, so it is essential that the final cybersecurity success factors to cybersecurity program efforts does
program best address everyone’s needs. not necessarily guarantee short-term success. It is more
likely that following this framework and applying the 10
Ciso’s experience in developing CMPs indicates that key success factors will enable a successful cybersecurity
the following statements are 10 key success factors. If management program to emerge over the long term.
organizations apply these statements in the order given, it
has the highest probability for successfully developing, Summary
implementing and managing a CMP:
Development, implementation, and maintenance of a
1. Identify and gain support and commitment from a cybersecurity management program for an organization
member of the SLT to introduce a CMP. is no small undertaking. However, the overall value
that organizations achieve through development and
2. Develop an enterprise wide cybersecurity program implementation of such programs includes reduced
charter (effectively the cybersecurity strategy for instances of successful cyber attacks. Moreover,
your organization) and submit to the CMP sponsor for a cybersecurity management program provides
socialization with the SLT and endorsement by the CEO. organizations with a means to reduce a successful
attack’s impact on the bottom line due to its programmatic
3. Create a CMP project work plan, the first task of predefined approach for identifying and responding to
which is to develop the cybersecurity policy. In larger cybersecurity incidents.
enterprises, it is likely that multiple PMs may be
necessary.
Read more about cybersecurity management programs
4. Establish and mandate usage of a document review and Cisco Security Services at
and version management system to support ongoing www.cisco.com/go/securityservices.
management of CMP documentation.

5. Complete work on the CMFs Strategic elements first.

However, it is also likely that multiple elements may be
developed in parallel especially where there are no or few
dependencies between the elements.

6. Define elements so that each element contains at least

one security metric definition and identifiable data source
to support metrics generation.

7. Identify and treat as high-priority development efforts

key elements with enterprise wide impact such as
architecture related elements and core elements that are
a foundation to many other elements.

8. Review all documented elements for consistency and

accuracy prior to developing elemental dependencies
associated with the element(s) under review/revision.

9. Develop all remaining elements having dependency

on key elements followed by elements having no
dependencies.

6 © 2017 Cisco and/or its a iliates. All rights reserved.