Back in 2018, the National Institute of Standards and Technology released a report with a pretty bland name: Framework for Improving Critical Infrastructure Cybersecurity. But in that report is one of the most useful guides for how to think about organizational cybersecurity, how to improve your cybersecurity and how to stay secure even in a rapidly evolving threat environment. We use it to help our clients rise to the level of the cyber threats they face day in and day out. So, we thought it a useful exercise to break it down for all of you. These cybersecurity tiers can provide both insight and actionable intelligence to get your company’s cybersecurity situation where it needs to be.
What the tiers mean
The cybersecurity tiers go 1 to 4, with 4 being categorized by the most rigorous and sophisticated cybersecurity risk management protocols.
The tier delineation takes into a host of factors, including your business’ current risk management practices, the threat environment in which you operate, legal and regulatory requirements, information sharing practices, business/mission objectives, supply chain cybersecurity requirements and finally, organization constraints.
It’s worth noting that higher tiers aren’t necessary “better” per se; the tiers do not represent maturity levels. They’re meant to support organizational decision making about how to manage cybersecurity risk, as well as which dimensions of the organization are higher priority and could receive additional resources.
All the cybersecurity tiers are broken down into three subcategories: Risk Management Process, Integrated Risk Management Program and External Participation.
Tier 1 — “Partial”
- Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc (and sometimes reactive) manner.
- Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level. The organization may not have processes that enable cybersecurity information to be shared within the organization.
- External Participation – The organization does not fully embrace its role in the larger ecosystem. The organization does not collaborate with or receive information (e.g., threat intelligence, best practices, technologies) from other entities (e.g., buyers, suppliers, etc.), nor does it share information.
Tier 2 — “Risk Informed”
- Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy.
- Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level, but an organization-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organization on an informal basis.
- External Participation – Generally, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. The organization collaborates with and receives some information from other entities and generates some of its own information, but may not share information with others.
Tier 3 — “Repeatable”
- Risk Management Process — The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
- Integrated Risk Management Program — There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organization consistently and accurately monitors cybersecurity risk of organizational assets.
- External Participation — The organization understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community’s broader understanding of risks. It collaborates with and receives information from other entities regularly that complements internally generated information, and shares information with other entities.
Tier 4 — “Adaptive”
- Risk Management Process — Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
- Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risk and organizational objectives is clearly understood and considered when making decisions. Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organization can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated.
- External Participation — The organization uses real-time or near real-time information to understand and consistently act upon cyber supply chain risks associated with the products and services it provides and that it uses. The organization understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks. It receives, generates, and reviews prioritized information that informs continuous analysis of its risks as the threat and technology landscapes evolve.
Only once you understand the landscape can you make informed business decisions… especially when it comes to something as complex (and critical) as cybersecurity.
We’re experts at working through the cybersecurity tiers with our clients, accurately assessing both our client’s current Tier, as well as a roadmap to achieving the appropriate Tier (which is not Tier 4 for every company in every industry — your business and market sector may not require Tier 4 vigilance at all times… or at least, not be worth the price of insuring that kind of vigilance 24/7/365).
Drop us a line today, and let us show you how we can level up your cybersecurity.