Several years ago, cybersecurity was not even on the radar of most companies and their boards. Over the past several years after countless fiascos and crises impacting companies of every size and scope, cybersecurity has steadily risen as a priority and emerged as an integral aspect of a board of director's duty of care and oversight to the company it oversees. As cyberthreats continuously evolve, develop and change, management is inundated with guidance on oversight, training, and any number of technical and procedural controls necessary to improve the company's security posture. In addition to the fast pace of evolution in cybersecurity, a recent trend of high profile data breaches and cyberincidents has put boards of directors on high alert for very specific threats, for example, Wannacry and the threat of ransomware. While this increased attention and scrutiny is important, and salubriously inspires many companies to better their cybersecurity postures, this granular focus runs the risk of missing the forest for the trees. While an understanding of technical controls and specific risks is integral to any cybersecurity program, it is important to understand that there is a greater principle afoot: namely that cybersecurity is not a binary state (secure or insecure), but rather it is a continuous, iterative, dynamic process. Thus, if we, whether on the level of a single company or the broader community as a whole, are to stand any chance of meaningfully moving the ball forward, we must develop a clearer conception of the nature of cybersecurity, the goals that a cybersecurity program must pursue, and the methodologies that must be implemented to accomplish them.

To better understand what this means, we can look to industry standards, one of the best being the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST). The CSF was created pursuant to an executive order issued in February 2014 by President Barack Obama, which called for the “the development of a framework to reduce cyberrisks to critical infrastructure.” The goal of the CSF was to create “a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyberrisks.” The first version of the CSF was released in February 2014, and it was quickly adopted by its target market, U.S. critical infrastructure, but the CSF is more broadly applicable. The CSF is neither industry nor size specific and the general principles and processes it promulgates for identifying, understanding, and safeguarding against cyberrisks are just as applicable to a local or regional company as they are to an international financial institution or technology company. The CSF consists of three core elements: the framework core, framework profiles, and the subject of our inquiry, framework implementation tiers.

The CSF implementation tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework (e.g., risk and threat aware, repeatable and adaptive). The tiers characterize an organization's practices over a range, from partial (Tier 1) to adaptive (Tier 4).

Simply put, the tiers represent a spectrum of how well your organization understands, guards against, and responds to cyberrisk. The tiers are routinized and standardized across industries and verticals which allows companies, engineers and managers to speak a common language both with regards to their respective security postures and with regards to the best routes to develop and improve their postures. While the CSF implementation tiers play an integral role in helping an organization understand its own posture, and in setting goals for future development, they serve just as important a role in facilitating a clearer understanding of a company's cybersecurity development and goals for the company's nontechnical management and directors.

The temptation to view cybersecurity as a binary question is particularly strong when it relates to a specific threat. For example, a corporate manager might ask whether or not the company is secure from the NotPetya Ransomware. While the answers to such questions are sometimes technically difficult to ascertain, they can only be definitively answered in certain scenarios. Furthermore, the answer, even when it is determinate and binary, can be misleading and counterproductive. If the technical staff reports to the manager that the company is, in fact, secure from NotPetya, the company will be much less likely to take a holistic inventory of its readiness for the broader attack vector of ransomware in general and to take the most effective measures to prepare the company to secure itself against the broader category of attack. Thus asking the wrong questions can be, not merely, unhelpful, but can actively complicate the process of most effectively pursuing the development of a company's cybersecurity posture.

In the CSF implementation tiers, there are four different phases a company can be in: partial, risk informed, repeatable, and adaptive. It is important to note that there is no language about secure or insecure, rather the language centers on an organization's integration of business, risk and cybersecurity. It also accounts for the distinctions between the circumstances and finances of each individual company and affords them some degree of ability to balance between the company's financial means and cybersecurity needs. The CSF implementation tiers represent a spectrum of possible cybersecurity postures, on one end of the spectrum is the partial tier. The partial tier generally encompasses those companies that deal with cybersecurity on an ad-hoc basis, with a limited general awareness towards cyber risk and its potential impact on their business. In these circumstances, cybersecurity is dealt with on a break-fix basis, meaning that it is only dealt with when something has broken down and the company has discovered that it has been compromised. Companies in this stage fail to effectively engage with the risks they face and to position themselves to effectively recover once an incident has occurred. The second tier, risk informed, takes a slight step up from partial, whereby an organization may not thoroughly formalize their practices, but they are beginning to conceptualize cybersecurity as a process and not as a break-fix binary and also the essential fact that cybersecurity is relevant consideration for their organization. The repeatable tier takes this a step further, indicating that companies have formalized these processes and that they are regularly updated based on developments in the cybersecurity landscape. It includes a meaningful degree of buy-in from corporate decision makers and meaningful training and preparation for staff. Finally, the adaptive tier is achieved once a company has robust and regularly verified and validated cybersecurity processes, procedures, and technologies. Cybersecurity has become an element of company culture and is regularly updated based on developments in the landscape and on predictive indicators that are tailored to the specifics of the company.

There many lessons to be learned from analyzing the CSF implementation tiers, from direct management involvement and oversight to developing cultural awareness to the adoption of policies, procedures and technologies, but what is most important are the words that are not included in the tiers: secure, defensible, threat elimination. These are absent because a robust, well managed, and carefully considered cybersecurity posture does not seek to achieve absolute security because this is an impossible goal. Rather such a policy seeks to ensure that an organization can nimbly and effectively respond to a broad spectrum of cybersecurity threats. To pull from the age-old fable of the willow and the oak, if an organization seeks to stiffly apply specific controls they will inevitably be felled, whether by a new emerging threat or some other instance of failure. If, however, a company is able to adapt and apply cybersecurity principles dynamically, throughout the entire enterprise, they will be able to withstand any storm. For a further illustration of this point, one need only look at the titles of the CSF Implementation Tiers, namely that the highest tier is adaptive, meaning that an ideal posture is one that recognizes the ever-changing landscape of cyberthreats, and can internalize the evolution of the threat environment, apply it to its own, unique context, and nimbly adapt and react to these developments at the institutional level.

Cybersecurity can often be a loaded issue that pulls from a wide variety of elements within an organization. It implicates everyone from the directors and managers to the technicians and employees. Directors are often charged without oversight of this process, which does require careful attention, but this detail-oriented approach sometimes risks missing the forest for the trees. To prevent this, it is essential to clearly conceptualize the goals of a “good” cybersecurity program. The CSF implementation tiers are by no means the only tool available to help understand these goals, but they do present a coherent, logical and understandable framework for setting goals, at a macro-level for one's organization.

Barry and Benjamin Dynkin are co-executive directors of the American Cybersecurity Institute and co-founders of Atlas Cybersecurity.