How to Build Your Own Cyber Security Framework using a Balanced Scorecard

2,058 views

Published on

Presented by: Russell Thomas, George Mason University

Abstract: Two aspects of cyber security that everyone struggles with are metrics and business impact. How do we measure it to improve and how do we make it meaningful to business decision makers? This gap appeared again recently in the NIST Cyber Security Framework (CSF) process RFI responses. But there is no need to wait for NIST CSF or anything else because there is a viable method available now that you can use to build your own CSF. Namely the “Balanced Scorecard” method.

The key idea is to focus on performance against measurable objectives in all critical dimensions that, taken together, will lead to better security, privacy, and resiliency outcomes, even in a dynamic and highly uncertain threat environment. In this presentation, we’ll explain the ten critical dimensions of cyber security performance, explain how they are interrelated and feed off each other, show how to create a performance index in each dimension, and describe how the balanced scorecard can be used to drive executive decisions. This presentation should be valuable to managers and executives in every type of organization in the energy sector, including the supply/service chain. Consultants, regulators, and academics should also find it interesting and useful.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,058
On SlideShare
0
From Embeds
0
Number of Embeds
197
Actions
Shares
0
Downloads
113
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Build Your Own Cyber Security Framework using a Balanced Scorecard

  1. 1. How to Build Your Own 
 Cyber Security Framework 
 using a Balanced Scorecard" Russell Cameron Thomas! EnergySec 9th Annual Security Summit! September 18, 2013! Twitter: 
 @MrMeritology! Blog: 
 Exploring Possibility Space!
  2. 2. Who here loves frameworks?!
  3. 3. Who here loves frameworks?! NIST Cyber Security Framework?! Other?!
  4. 4. Frameworks can matter (a lot) 

  5. 5. Frameworks can matter (a lot) 
 if they are instrumental in driving new levels of Cyber Security Performance
  6. 6. What the hell is 
 “Cyber Security Performance”?!
  7. 7. Yes, “Cyber”!
  8. 8. Yes, “Cyber”! Confluence of…! •  Information Security! •  Privacy! •  IP Protection! •  Critical Infrastructure Protection & Resilience! •  Digital Rights! •  Homeland & National Security! •  Digital Civil Liberties!
  9. 9. What the hell is 
 “Cyber Security Performance”?!
  10. 10. “Cyber security performance” is… " … systematic improvements in an organization's dynamic posture and capabilities relative to its 
 rapidly-changing and uncertain adversarial environment.”!
  11. 11. “Cyber security performance” is… " …Management By Objectives! (Drucker)!
  12. 12. “Cyber security performance” is… " …Management By Objectives! …Performance Mgt, incentives!
  13. 13. “Cyber security performance” is… " …Management By Objectives! …Performance Mgt, incentives! …Staffing, training, organizing!
  14. 14. “Cyber security performance” is… " …Management By Objectives! …Performance Mgt, incentives! …Staffing, training, organizing! …Organization learning, agility!
  15. 15. “Cyber security performance” is… " …Management By Objectives! …Performance Mgt, incentives! …Staffing, training, organizing! …Organization learning, agility! … and good practices!
  16. 16. “Performance” vs “Practices”!
  17. 17. Using the Universal Language of Executives….

×