The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
33 WWW.ILTANET.ORG FEATURES Baldrige Cybersecurity Initiative: The Journey Toward Excellence in Information Security Management Expansion of BCEB and the Need for Feedback Despite enthusiasm for the next evolution in measuring and communicating cybersecurity program effectiveness, the BCEB appears to have some early challenges. Baldrige released the first dra of the BECB with modest fanfare in September 2016. During the period from dra to Version 1.0, the document did not receive wide aention from technology and security professionals. At its formal unveiling in April 2017 at Baldrige's Quest for Excellence® Conference, the final published version of the BCEB was greeted by a relatively small audience of Baldrige fans and supporters. Evidence suggests that, to date, few organizations have conducted a BCEB self-assessment, though the actual figures are difficult to verify. Nevertheless, this author strongly believes that the Cybersecurity Initiative and the BCEB will take time to establish its place as an indispensable resource for business leaders. The fate of the BCEB rests in the hands of technology and security professionals. "Expansion of the BCEB," says Wie, "will be based on future funding and community feedback." Technology and security leaders may also discover road bumps as we introduce the concepts of BCEB to stakeholders and peers. First, some practitioners may find that quality is too foreign a concept to serve as a cybersecurity-focused metric for law firms, fearing that this idea is too closely connected to the manufacturing world. It shouldn't be. Law firms that aspire to some degree of conformance with ISO standards—namely, ISO/IEC 27001—already have fluency in the international language of quality. There are also those who may doubt that they can free their superiors from ingrained perceptions about information security as an IT issue needing exclusively IT-focused solutions. Those who have experienced such pushback in the face of change understand that they are in the vanguard of a new movement, which is seldom a comfortable place to be. For those brave security leaders who desire that coveted "seat at the table" with key stakeholders, the BCEB provides a fresh starting point to be heard. P2P The BCEB is organized according to a set of core values and concepts representing seven key factors for managing and performing as an organization. The center hexagons in the graphic shown comprise the organization's overall performance system. The horizontal arrows in the middle denote the importance of organization-wide integration of the process Leadership and Results categories. The vertical arrows signify integration with Measurement, Analysis and Knowledge Management components of BCEB. Last, the Organizational Context defines both scope and environmental factors that inform, and are informed by, the process Leadership and Results categories. To conduct a BCEB self-assessment, the reviewer determines Scope and Organizational Context, followed by the six Process Management factors in the hexagons. The next section (Measurement, Analysis and Knowledge Management) helps identify key decision points aligned to organizational performance objectives and recommendations for improvement. The last section addresses the evaluation of performance aligned with desired Results. Once completed, the self-assessment yields two distinct scoring dimensions (Leadership and Results) across four Process factors and four Results factors, to arrive at a final score. The BCEB's scoring rubric provides clear, business-focused and actionable information about an organization's cybersecurity program. The scores provide both qualitative and quantitative evaluation data that can scale easily with the size and complexity of the organization using the self- assessment tool. The BCEB scoring system provides leadership with an understanding of how well the organization is performing against those processes that work effectively for firms that excel at service quality. By completing the BCEB and identifying the organization's cybersecurity performance excellence maturity level, law firm technology and security leaders benefit by understanding, prioritizing and improving those processes that are critical to achieving sustainable results. Principals benefit from the BCEB's business-focused language and clear alignment to organizational values and objectives. For more information about the Baldrige Cybersecurity Initiative, visit: www.nist.gov/ baldrige/products- services/baldrige- cybersecurity- initiative. Baldrige Criteria For Performance Excellence ® and Design, Baldrige Performance Excellence Program ® , Criteria For Performance Excellence ® , The Quest For Excellence ® and The Malcolm Baldrige National Quality Award medal and depictions or representations thereof are federally registered trademarks and service marks of the U.S. Department of Commerce, National Institute of Standards and Technology. v1.0 BALDRIGE CYBERSECURITY EXCELLENCE BUILDER Key questions for improving your organization's cybersecurity performance www.nist.gov/baldrige #BaldrigeCyber LEARN MORE