Commercial Solutions

CYBER
SOLUTIONS
HANDBOOK
Making Sense of Standards and Framework

Booz Allen Hamilton Commercial Solutions, combines

industry knowledge and relevant experience with the right
people and technologies to reduce risk, improve safety and
increase profitability for your business. Together, we can
enable you to thrive today, tomorrow and beyond.
Commercial Solutions | Cyber Solutions Handbook

CYBER SOLUTIONS HANDBOOK

Making Sense of Standards and Frameworks
The strength of an organization’s cybersecurity program is now a
market differentiator, and cybersecurity is a key business enabler.
Today, chief information security officers (CISO) and their
equivalents are facing increased responsibility amid a series of
quickly evolving—and often enterprise-wide—challenges.
Remediation-centric defense is not enough to combat current cyber
threats, and CISOs must build an effective communication link
between the server room and the board room in order to have an
effective program. This paper is one of a series of handbooks that
provide pragmatic insight and assistance on how to address the
key issues facing cybersecurity leaders today.

Businesses understand the importance of cybersecurity. Once relegated to the IT department

as an afterthought, cybersecurity is now part of a company’s core strategic planning and
investment portfolio. Pressure is high to ensure that all of the company’s assets and
operations are secure; boards and executives are looking to CISOs for answers. Yet change
is constant and quick, and standards and frameworks have risen to the forefront as a strategy
to tackle this new environment. These paradigms present opportunity for insight and growth,
but only if they are used in the appropriate context—and it can be difficult to sort through this
“alphabet soup.”

This handbook provides context for the numerous cybersecurity standards and frameworks
that currently exist. We put forth concrete recommendations for evolving the legacy mindset of
program “compliance” to one of program maturity and risk-based security. However, there is
no formula for security; there is a difference between being compliant and being secure.
Focusing on maturity—rather than checking the box—provides organizations both the
flexibility and the comprehensive view necessary to manage their risks and achieve their
goals.

Developing a robust maturity model is a significant undertaking, but there are existing models
that can be used to rapidly evolve programs. Applying these models correctly, while taking into
consideration the appropriate industry standards and frameworks, will align your security
program to your organizational strategy, while providing concrete and risk-based guidance on
how you can advance your program to enable the business.

2
Commercial Solutions | Cyber Solutions Handbook

Addressing an Alphabet Soup of Cybersecurity Standards and

Frameworks
In the rush to address an increasingly complex cyber environment and provide a standardized,
structured approach to cybersecurity, we have, ironically, created innumerable options. From
“A” (audits) to “Z” (Zachman Framework), it is easy to drown in the confusing alphabet soup of
standards and frameworks.1 As demonstrated by the examples below, these criteria span
industries and vary in approach.

There are well-known industry governance and control frameworks such as the Control
Objectives for Information [and Related] Technology (COBIT) by ISACA, and international
best practice standards such as the certifiable ISO/IEC 27001.

Government entities, such as the National Institute for Standards and Technology (NIST),
try to centralize and drive common practices, standards, lexicon, and requirements
(e.g., the catalog of security controls in NIST Special Publication 800-53 ).

We have control and risk management guidance focused on the financial industry,
such as Basel (I, II, III), Gramm-Leach-Bliley Act (GLBA), and the Federal Financial
Institutions Examinations Council (FFIEC).

We see specialized guidance in the healthcare industry, such as the Health Information
Trust 2 Alliance (HITRUST) framework and Health Insurance Portability and Accountability
Act (HIPAA) controls.

There are even structures for specifying product security standards, such as Common
Criteria.

So how can we begin to sift through all this information? Which framework might help you?
The short answer is, probably most of them. Some you’ll have to comply with, while others are
great reference material. However, picking and choosing the “right” elements among all this
available guidance is difficult, and still—even if you are the most gifted security architect of all
time—mostly leaves you with a check- the-box approach. So what to do? Read on.

1
A large number of cybersecurity standards and frameworks have emerged in recent years; the acronym jargon used to describe
these as made it all the more difficult to understand and apply relevant guidance

3
Commercial Solutions | Cyber Solutions Handbook

The NIST Cybersecurity Framework: Key Takeaways

On top of these existing standards and frameworks, a new initiative kicked off in early 2013
when the Obama Administration enacted Executive Order 13636 and Presidential Policy
Directive (PPD-21), primarily focused on improving cybersecurity among private sector critical
infrastructure organizations. Many companies regard these directives as the “writing on the
wall” for eventual federal regulation around cybersecurity for private companies.

A primary product that emerged was a voluntary Cybersecurity Framework for managing
cyber risks, spearheaded by NIST. Released in mid-February 2014, the Framework is a
compilation of standards, guidelines, and best practices for managing cybersecurity-related
risk, while protecting information confidentiality, individual privacy, and civil liberties. Although
adoption of the NIST Framework is voluntary, many analysts suggest that it may be perceived
as a future de facto “standard of care,” which could be used to measure companies in
regulatory enforcements, class actions, and other lawsuits following cyber attacks and privacy
breaches.

The NIST Framework provides two important and fundamental elements for establishing or
improving a cybersecurity program: (1) content and (2) an approach for using that content.
When first glancing at the underpinnings, the Framework may appear as little more than a
compilation of existing industry standards and frameworks. While its “substance” essentially
points to such established industry guidance, this reflects the inputs gathered by NIST from
among hundreds of industry cybersecurity practitioners. Consensus is good. In regard to
approach, NIST provides some very high-level—yet useful—guidance for how to use the
content. It describes using the Framework to establish an understanding of where the program
currently is, and by infusing an understanding of cyber risk, security professionals can then
develop targets and an action plan for meeting those targets. This is certainly an evolutionary
step forward toward aligning security to organizational risk, but it still uses existing standards
and frameworks (i.e., compliance material) as the guide for improvement.

4
Commercial Solutions | Cyber Solutions Handbook

Acknowledging the Difference between

Compliance and Security

Despite the good intentions of standards and frameworks, the fundamental truth is that there
is no formula for security. Many companies are compliant with certain regulations because
they are mandated by law. While avoiding legal exposures, fines, sanctions, and potential jail
time is a good motivator, it does not make your company more secure.

Standards and frameworks can help identify the landscape of potential areas you might want
to address. They also might let you set a minimum level of performance. However, standards
often force you to be either compliant or non-compliant. There is not always a middle ground
or consideration for unique organizational risk. Too often you are either a “one” or a “zero.”

If not used in the appropriate context, standards are a generic solution to a highly
individualized problem set. Cybersecurity is intimately tied to your business strategy and
operations, and it must be personalized to your organization. With the CISO role becoming a
strategic business enabler, we can no longer afford to “check a box.” Your company’s
strategies, risks, goals, and operations should shape the cybersecurity program. This is even
more critical with restricted budgets and resources, so you need to know where and how to
scale your investments.

The NIST Framework begins to shift the mindset of security leaders towards a risk-based
approach. However, the NIST Framework is still a high-level construct designed to help “think”
about the problem, and does not include robust or actionable guidance to mature a
cybersecurity program. But the Framework’s authors acknowledge this fact. They advise
“leveraging external guidance,” including existing maturity models, to drive a security program
forward.

Valuing Maturity over Checkboxes

Rather than focusing on a standard, look at your program with a maturity “lens.” Understand
the various degrees of risk you face and then, within a well- established structure, decide
where you need to invest and develop. It is up to you to prioritize the control areas that you
must address first, your current maturity in those areas, and what you must do to increase
your maturity.

Focusing on your maturity provides you with an opportunity to identify where your program
stands today, where it must be in the future, and how to get there. A maturity approach is not
“one size fits all.” Rather, you need to conduct an honest assessment of your baseline
maturity in the areas that are key to your success. You also must establish your target states.
These targets will vary based on your business needs and various exposures to cyber risk. A
large multinational corporation, for example, might determine that it needs an advanced
capability to internally monitor the risk presented by its hundreds of suppliers, while a smaller
company with just a few suppliers might be able to outsource this to an established, low-cost
third party. The two target states for each of these control groups would be very different. By
building your approach based on risk and maturity, instead of blindly complying with
standards, you move the responsibility of security from an outside entity to your organization.

5
Commercial Solutions | Cyber Solutions Handbook

The Characteristics of a Strong Maturity Model

Developing a strong maturity model is a significant undertaking; most organizations do not

have the resources to take this on. However, there are existing models out there to use,
developed by sector bodies or private companies. So what does a good model look like? It
covers both a broad range of topics and provides significant depth in each topic to ensure
comprehensive and detailed guidance needed to enhance your cybersecurity program.
Effective cybersecurity maturity models include:

Functional and enabling controls – Functional controls are more technical/operational in

nature (e.g., application security, vulnerability assessment), while enabling controls pertain
to governance, risk management, and other organizational functions that support (i.e.,
enable) the technical operations

Logical organization of high-level and low-level views – Logically organized objectives

and measures that are used to pinpoint and evaluate specific aspects of your security
program

A maturity spectrum of granular and measureable details – A clear scale of maturity,

defined by characteristics and indicators to accurately assess your level of maturity

People, process, and technology dimensions – Multifaceted views that let you evaluate
each control area in its key component parts

A foundation grounded in established best practices – Developed from best practices

across industry, government, and academia.

6
Commercial Solutions | Cyber Solutions Handbook

Using a Maturity Model to Evolve a Cybersecurity Program

Appropriately applying a maturity model is as important as developing or choosing the right
one. The following is an overview of one proven approach on how to put an effective maturity
model into practice. As illustrated in Figure 1, this approach focuses on placing the model as
the “centerpiece” of the organization—setting the tone for both program structure and
assessment.

Figure 1 – Cybersecurity Maturity Model Implementation Approach

Step 1: Align Cybersecurity with Organizational Strategy

Boil down your organization’s strategic objectives and core value-generating operations into a
set of short, declarative, and concrete statements. Understand which operations must
continue to enable the sources of most value. In addition, consider the strategic actions your
company is or will soon be taking in order to thrive in your future environment.

These statements often can be written as “We will” or “We must” assertions. Examples
include: “We will expand globally,” “We must ensure our supply chain operations are not
interrupted,” or “We will innovate by providing our customers new digital offerings.” Once you
have the strategic objectives, identify the cybersecurity risks that could impede them (see
Figure 2).

Figure 2 – Strategic Objective Examples and Related Cybersecurity Risks

Objective Cybersecurity Risks Note: Example Only – Not

Comprehensive

Globalization  Untrusted IT Equipment used in foreign offices

 Third party with unrestricted access to customer
“We will expand globally”
information
 Unsecured mobile devices
 Poor personnel screening practices

Supply Chain  Malware introduced from third-party suppliers

 Non-transparent supplier security practices
“We must ensure our supply chain
 Corrupted data in business process workflows
operations are not interrupted.”  DDoS exposures in web-facing applications

Research and Development
“We will innovate by providing our
customers new digital offerings”
 Poorly protected source code for new digital
product
 Development environment is open to many
individuals
 Poor situational awareness of internal access to
sensitive R&D information

7
Commercial Solutions | Cyber Solutions Handbook

Step 2: Apply a Risk-based Prioritization

It is unlikely that you will have the resources or time to focus on all parts of your business. You
will need to prioritize. Leading companies often use threat and risk workshops to help identify
and prioritize cyber risks, while gaining key points of consensus along the way. During these
workshops, you will need to explore your risk tolerance as it relates to the various parts of your
business. You may consider discussing potential “strategic surprise” threats that could deliver
large-scale negative impact to the business. By conducting this exercise, you should gain a
clear prioritization of the cyber risks that you need to address first.

Step 3: Assess Your Maturity

Once you identify your risk priorities, you can then begin to understand what control families
would likely mitigate that risk. As mentioned above, your maturity model should address both
functional and enabling control families. Addressing a risk will often involve multiple control
families, and the integration of these families is critical to a robust and cohesive cybersecurity
program. Figure 3 lists a high-level summary of which security control families could likely
address a given risk.

Figure 3 – Sample Cybersecurity Risks and Applicable Control Families

Objective Cybersecurity Risks Sample Applicable Control

Families

Globalization 1. Unsecured mobile devices  Mobile Security

 Strategy & Policy

Supply Chain 2. Non-transparent supplier  Governance

 Strategy & Policy
security practices
 Supplier Security Management

Research and 3. Poor awareness of internal  Personnel Screening

 Situational Awareness
Development access to sensitive R&D
information

Now that you have an idea of (1) your biggest risks and (2) which cybersecurity control
families most closely map to them, it is time to assess maturity. Perhaps you would like to
understand organizational preparedness for poor situational awareness (risk #3). In this
scenario, three primary control families are most applicable to helping mitigate this risk, and
we would need to assess maturity for them all. To illustrate, we’ll assess maturity in the
situational awareness control family (see Figure 4).

8
Commercial Solutions | Cyber Solutions Handbook

Figure 4 – Representative Assessment of the Situational Awareness Control Family

To assess the maturity of the situational awareness control family, you need to break it down
into discrete, manageable elements that you can assess, called control objectives. These
control objectives are areas and actions you need to perform well in order to increase your
capability for that control family. In this case, the elements that make up situational awareness
are Security Event Collection, Analysis, and Response. Enhance your capabilities with these,
and you will strengthen your situational awareness.

Before you can assess where you need to be, you should first understand where you are
today. Consider how effective your processes and technology are performing for each control
objective. You also need to look at how well your people are performing within the entire
control family. Note that since the same people cut across control objectives, they are usually
assessed separately.

You should have well-defined indicators of each level of maturity (“Lead” through “Platinum”
levels). These are concrete actions and characteristics that help you gauge your current
baseline maturity. If you are using a company with a maturity model, be sure that they have
developed clear and well-vetted levels that map to industry best practices. Otherwise, you will
be measuring your maturity by gut instinct alone.

Across the three objectives within this control family, maturity varies widely across the
dimensions of people, process, and technology. The organization’s process and technology
maturity to collect and analyze event data is very low, meaning it would be very difficult to
track internal employee access to sensitive R&D information. On the other hand, the people
who conduct situational awareness activities have requisite skills and abilities. To manage this
risk, however, the organization will need to invest in maturing the processes and technologies
for event collection and analysis.

9
Commercial Solutions | Cyber Solutions Handbook

Step 4: Make a Plan

After understanding your program’s baseline maturity, you will need to establish your target
states. Make sure these targets are relevant to your organization, industry, and strategic
objectives. Don’t assume that every control family needs to be at the highest maturity level—
that will be a very expensive and unnecessary mistake. You will need to define the target
states that make the most sense for the amount of risk that your business leaders will tolerate.

Once you have target states set and your gaps identified, you can begin to think of the “gap-
closing options” to meet those target states. Patterns and priorities should begin to emerge.
Keep in mind that the maturity ratings are much less important than the reasons behind them.
This process should surface the specific challenges you need to address, regardless of the
specific rating.

From the gaps and priorities of your maturity assessment, you can build your plan. Identify the
most critical needs, as well as what you can accomplish in the short and long term. Create a
roadmap that shapes these needs into concrete initiatives. Each initiative should have a
defined beginning, end, owners, timelines, resource requirements, and key dependencies.
You should align your investment strategy behind these initiatives and map them back to the
strategic initiatives that you identified at the beginning of this process. As you implement them,
be sure to track your progress and report back to your executive leadership. You should be
able to describe your efforts in the business context that your senior leaders will understand.

10
Commercial Solutions | Cyber Solutions Handbook

Example in Action:
Top Financial Institution Integrates Corporate and Cybersecurity Strategies
to Maximize Protection against Cyber Threats

Challenge: Recognizing the key role of cybersecurity in their operations and objectives, the
board of directors of a global Fortune 100 financial institution mandated a comprehensive
review of the security program and an investment strategy that would enable the company’s
strategic objectives. Although they were in compliance with federal regulations, they knew that
there was a difference between being compliant, and having strong cybersecurity.

The organization needed a partner with an effective maturity model that was robust,
comprehensive, and developed from industry best practices. They did not have the time,
experience, or budget to develop one themselves, and they also felt the need for an objective
perspective, so they came to Booz Allen Hamilton.

Solution: Booz Allen worked with stakeholders to identify key threats facing the organization
in the next 5 years, assess the maturity of its cyber program (focusing on 24 functional and
enabling control families), and analyze organizational readiness to develop its program.
The organization also collaborated with Booz Allen to compare the key findings, gaps,
and recommendations from the maturity and organizational assessments to its draft
investment plan.

The client organization was able to use Booz Allen’s proprietary maturity model to install a
simplified, rational, and easy-to-communicate framework to engage stakeholders and enhance
bank security. Through a series of threat workshops, the client was able to use this framework
to identify and prioritize current and future threats, including emerging and "surprise" threats
that it might encounter over the next 5 years. For the maturity assessment, the client
organization utilized Booz Allen’s CyberM 3 Reference Model, which helped identify key gap
areas. Through collaboration with Booz Allen, the security organization was able to identify
sensible recommendations for improving the security program. Together, the teams reviewed
the client’s existing investment strategy, and provided key recommendations that helped
stakeholders successfully shape the organization’s roadmap and program for the next 5 years.

Result: By engaging Booz Allen experts and its maturity-based reference model, the board of
directors was able to successfully merge the organization’s security and corporate strategies
to maximize protection against the increasing cybersecurity threat.

11
Commercial Solutions | Cyber Solutions Handbook

CONCLUSION

As businesses adapt to running at the speed of cyber, they rush to

apply standards and frameworks to help them make sense of it all.
But there is no “standard” for security. There are no boxes you can
check, and no matter how compliant you are, it does not mean you
are any more secure.

The solution is more difficult than that. It takes a deeper understanding of where your company
wants to go and how your security program will help your company get there. It takes an honest
assessment of your current maturity and a vision of where it needs to be. It takes smart decisions
about where you invest your limited resources. Your Board of Directors and your CEO are looking
to you for you for answers. That’s because they know that cybersecurity is critical to their
success. They know that cybersecurity is now a business enabler

To learn how Booz Allen Hamilton can help your business thrive, contact:

Booz Allen Hamilton

Matthew Doan Ian Bramson Laura Eise

Senior Associate
doan_matthew@bah.com
703-659-3689
Matthew Doan is a Senior Associate in Booz Allen's
commercial cyber practice. In his role, he works with
leaders across multiple industries in aligning cyber
security programs to manage risk and meet the needs
of the business. Mr. Doan specializes in programmatic
assessment, enterprise risk management, strategy-
setting, and organizational design.
Lead Associate
bramson_ian@bah.com
240-675-0840
Ian Bramson is a Lead Associate at Booz Allen,
focusing on addressing challenges for commercial
clients. Mr. Bramson blends business, technology, and
strategy to develop enterprise cyber security solutions
across multiple industries and the public sector. He
specializes in strategic planning, organizational design,
cyber diagnostics, governance, and change
management.
Lead Associate
eise_laura@bah.com
262-391-1463
Laura Eise is a cybersecurity consultant in Booz Allen’s
commercial cyber practice. She works across multiple
industries to assess and mature cybersecurity
programs, and develop reference models for solving
cyber challenges. Ms. Eise specializes in risk
management, strategy development, training, and
awareness.

© Copyright 2014 Booz Allen Hamilton Inc. The information contained herein is subject to change without notice. The only warranties for Booz Allen Hamilton products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Booz Allen Hamilton shall not be liable for technical or
editorial errors or omissions contained herein. Trademark acknowledgements if needed.