Last weekend, I attended the Baldrige Cybersecurity Excellence Builder workshop (BCEB), which was offered in conjunction with the annual Quest for Excellence Conference®. This interactive workshop illustrated practical ways to use BCEB to assess the effectiveness and efficiency of cybersecurity risk management programs, the cybersecurity results achieved, as well as identifying opportunities to improve risk management efforts.
The BCEB, also referred to as the Builder, “blends the organizational performance and systems perspectives of the Baldrige Excellence Framework with the holistic, enterprise-based approach of the Cybersecurity Framework,” as illustrated below.
“The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks.” — Commerce Deputy Secretary Bruce Andrews, Baldrige
Training exercises can be a bit dry; however, the collaborative nature of the exercise combined with the case study format made for a lively session. The NIST presenters and facilitators, including Matthew Barrett, Jacqueline Calhoun, Robert Fangmeyer, Ellen Garshick, and Gregory Witte, did an excellent job presenting the case study, which laid out the self-assessment process. The exercise demonstrated the benefits of the BCEB and also revealed several shortcomings.
Key takeaways from the workshop:
- The tool is most valuable as an assessment of an entire organization’s cybersecurity risk management program; however, it can also be effective assessing individual departments or business units within an organization.
- The BCEB (or Builder) will take time and resources to properly perform the self-assessment. Organizations will also benefit from having a cybersecurity individual around support the self-assessment exercise.
- The Builder works best when the technology can be translated into the larger picture of cybersecurity at the organization, providing the complete security context. Based on the case study, responses tended to technology heavy and gave short shrift to supporting processes.
- Builder provides a good self-assessment framework; however, it does not translate readily to the larger CSF or other Cybersecurity standards (e.g. COBIT, ISO 27001). Organizations looking to prepare for a full audit of their environment should think twice before proceeding, since results may not be helpful in achieving cybersecurity objectives.
Released in March 2017 by NIST and Baldrige, the Baldrige Cybersecurity Excellence Builder (BCEB) is a voluntary self-assessment tool designed to help organizations understand how well their cybersecurity program is performing, as well as identifying the gaps which need to be addressed. The goal of this tool is to eventually attach a dollar amount to the effectiveness and efficiency of an organization’s cyber risk management program.
Before adopting a new tool or undertaking a cybersecurity assessment, it’s important to plan, communicate, and get aligned internally. The Baldrige Cybersecurity Excellence Builder requires devoted time, resources from multiple stakeholders, and often the guidance of a seasoned cybersecurity professional. To learn more about this tool, we recommend downloading the full assessment and reading through it. Access Version 1.0 of The Baldrige Cybersecurity Excellence Builder.
Not sure if this assessment is right for you? Here are a few resources on cybersecurity measurement and assessments:
- How to Measure the Effectiveness of Your Cybersecurity Program
- The One Cybersecurity Assessment Every Organization Needs
Photo credits: NIST
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us today!