The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
15 December 2016
Mr. Robert Fangmeyer
Director of the Baldrige Performance Excellence Program
Directors Office Baldrige Performance Excellence Program
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, MD 20899
RE: Response comment on draft Baldrige Cybersecurity Excellence Builder
Dear Robert,
Our Forum’s Role to Advance Cyber Resilience in support of Business Excellence The Global Forum for Advanced Cyber Resilience brings private and public organizations together to collaborate. Our focus
is around the use of best practices, and lessons learned associated with the utilization of cyber resilience in support of each
organizations mission.
We provide support for ‘private and public’, ‘private to private’ and ‘internal’ collaboration. The result is a better
understanding of what is reasonable and prudent for the individual participant organizations. As a not for profit we focus
on what is of common interest across all participant organizations to provide a foundation and understanding of this
value. We believe there is greater value for this collaboration to be coordinated from outside of the government and our
participants agree.
We have attached comments on three sections of questions from the ‘Baldrige Cybersecurity Excellence Builder’ Draft. We
believe our comments will help organizations focus on the importance of cyber resilience in supporting their mission and
customers by discovering reasonable and prudent approaches to business value underpinned by cyber resilience.
We intend to continue to include discussion about business excellence in our forum activities and will continue to provide
information useful for business excellence.
Please also find comments about the value of Collaboration, Reasonableness and Prudence, Strategic Thinking, Disciplined
Culture, Stakeholder By-In, Leadership, Procurement, Work Force Strategy, and the Rationale for the use of cyber
resilience vs security1 within this document.
I. Collaboration How we get to the understanding of cyber resilience business value is critical. ‘Cyber resilience’ is an enabler of the
business to perform its mission. It needs to be coordinated with all business activities.
Because of rapid changes in competitive markets and cyber threats we must take advantage of coordinated enterprise
strategic thinking, change culture, and continual improvement through this internal and external collaboration.
Taxpayers are demanding the public sector to be more prudent with their limited resources. The public sector will be able
to benefit from participating in private sector led collaboration.
“Cyber resilience and business value cannot be separated. Cyber resilience must be tightly coupled with and
support business value. Measurable ‘reasonable’ and ‘prudent’ approaches are found by including internal
and external collaboration in each organizations strategy in support of their missions.” Charlie Tupitza
Collaboration helps us utilized shared lessons learned and best practices in the context of our own business environment
and helps us determine “Reasonable and Prudent” approaches. We need a holistic view and representation of the
business to accomplish this.
cc: Mr. Tony Scott
Chief Information Officer
Office of Management and Budget
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
II. Understanding Reasonable and Prudent Approaches ‘Reasonable and prudent cyber resilience’ must support business excellence throughout our organizations, the supply
chain, and all customers and potential customers. We must take advantage of lessons learned and best practices
identified during internal and external collaboration.
Disciplined “change management and continual improvement culture” must be associated with these activities.
Regulators look for ‘Reasonable” efforts to cyber resilience. Taxpayers and Stockholders demand “prudent” use of
resources, Customers recognize business value. We must take advantage of taxpayer and private investments in people,
processes, and technology. We have had discussions with ‘cybersecurity’ teams of major public and private organizations
that do not know or have little communication with the business side of their organization or customers or partners. This
is not reasonable behavior. They all need to be involved in collaboration early, in the strategy phase and beyond.
III. The Importance of Strategic Thinking Business excellence with cyber resilience requires full organizational representation at the table while strategizing.
Shifting the thought of cyber resilience to the “strategy phase” ahead of “design” for all products and services helps us
identify how cyber resilience enables organizations to provide excellence in service to their own organization and to their
customers. This discipline makes it easier for all stakeholders to understand the value and their role in support of it as
leaders.
It will be easier to justify requests for the necessary cyber resilience resources in support of our mission when we
understand and articulate reasonable and prudent approaches by having full representation during strategic thinking.
IV. Disciplined Continual Improvement Culture Supporting Change and Readiness Perpetual business excellence requires an effective change management culture supporting continual improvement
throughout the life-cycle of our products and services. Cyber resilience or business excellence cannot be a destination. .
We must approach this at our own pace or battle rhythm and do things that will help us enable a faster pace.
‘Organizational readiness/resilience’ amidst continual change in the competitive, threat, regulatory landscape, and
employees is not an option.
Organizations with a culture of change and continual improvement will have an easier time. Organizations with
disciplined approaches in the development of products and services will move at a more effective pace. Many senior
leaders in both private and public organizations demand disciplined approaches.
Stock holders, insurance companies, tax payers, auditors, and lawyers are happier when they see discipline. Without this
discipline, it is difficult to manage and model desired behavior as leaders.
How is change managed?
People tasked with managing change must have clout to make change. Business and IT controls to make sure
resilience is considered and required for every request for change. This is tough in many sectors because they see
themselves as technology companies. The industry needs to recognize Business and IT as collaborative partners.
The industry cannot rely on technology and must recognize the important role of people.
How are suggestions for improvements recognized and managed?
V. Buy-in from Stakeholders Stakeholders must understand the cyber resilience business value to them and their customers. This understanding must
flow through to how the organization markets itself, its products and services. This is a competitive advantage when the
customer validates its value. For this to happen we need to figure out how to engage our customers in collaboration and
clearly articulate this value to them.
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
VI. Leadership Leaders need to clearly understand their role in supporting cyber resilience and business value. Fortunately, there are
plenty of good examples we can take advantage of so we can model future behavior. We need to share these examples.
We tend to focus on the negative examples and need to recognize the positive ones.
Demonstration of commitment and support from the CEO is needed for all governance and policy activity aligned with the
organizations overall cyber resilience considerations and mission.
All activities must be in support of business objectives valuable to current and potential customers. There must be a
continual improvement life-cycle associated with all activities.
How do stakeholders in your organization tell the CEO what you need? The CEO needs you.
Putting on the CEO hat:
o I don’t get it. It’s complex, I hate not getting this. o Simplify this complexity to support conversations between me and others in the organization o My attention span is short, Get points across quickly and clearly.
VII. Work Force Development and Retention Strategy To have a reasonable approach to cyber resilience organizations must have a way to evaluate skills and skill gaps for each
role in the organization. This is directly related to a culture of change management and continual improvement. As the
business climate and threats change, as new products and services are considered the organization must know if they are
ready and if not they need to understand the skills gaps to be ready by training up existing employees and hiring new
ones. These are artifacts of interest to the cyber insurance industry and potential business partners.
What is your work force development and retention strategy to address cyber resilience?
What standards best practices and frameworks are you using? For example, the National Initiative for
Cybersecurity Education (NICE)?
What is the right education needed to keep employees, partners, and customers aware of current and evolving
threats and business value?
VIII. Procurement Responsibilities Key positions in the procurement process need awareness training. People, especially program and project managers have responsibilities regarding cyber resilience before making requests to the procurement process. Best practices associated with responsibilities and training needed for all roles is critical for success. Coordination of activities is important by program and project managers.
Who has what responsibility regarding cyber resilience within your procurement process?
How are people within your procurement process made aware of cyber resilient requirements?
Does the procurement office participate in collaborative activities within the strategy phase for the development of products and services?
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
Low Hanging Fruit, Moving Forward Taking Advantage of Taxpayer and Private Sector Investments in Common Approaches As we look for ways to move large business segments and influence others we need to look to both private and public
organizations across critical and noncritical sectors to identify where common work culture, and the use of common best
practices, lessons learned and standards exists. There is great value in taking advantage of these existing investments in
people, processes, and technology along with a common lexicon present.
An example of a common disciplined approach of IT Service Management which can support cyber resilience is the
Department of Defense Enterprise Service Management Framework (DESMF) which the DoD CIO Mr. Terry Halvorson
directed the DoD to conform to 24 Dec 2015. This pulls together many best practices and standards which with some
work could be improved with cyber resilience underpinned by its processes. Most federal IT service contracts call out for
much of what is in this framework. Many private sector organizations internationally call out for the best practices and
standards within the framework. Many of our citizens are certified and have job experience in this domain. These align
nicely with the Baldrige focus on cyber excellence and business value.
There is a common thread from the DoD to the outside. Organizations utilizing much of what is called out in the DESMF,
like Disney, are all about serving the customer, keeping them secure, and earning value to the stockholders. It is called
something different outside the DoD but they share common best practices and lexicons. Our collaborative sessions
including the DoD, contractors, other public organizations, as well as telecom, healthcare, finance, and other sectors
clearly demonstrate the value of taking advantage of this common thread to share lessons learned.
The Latent Function of Taking Advantage of Common Investments and Approaches We are not in this alone. Taking advantage of any common foundation like the example above will lead to motivate
innovation as smart people and organizations will see a homogeneous market for their products and services.
Foundation of Common Thread Across Private and Public Organizations As our forum participants focus on the common threads across all organizations they will be able to add greater value.
We will stay at this level which will aid private and public organizations of all sizes to understand how to take advantage
of cyber resilience in the provision of excellent products and services. We look forward to move this discussion forward.
With the focus of underpinning excellent products and services taxpayers and consumers can expect improvement. Those
following this work will be more competitive in the market place creating new job and securing existing ones. The
government will be able to better serve its citizens.
Summary for value of Collaboration Reasonable and Prudent approaches to cyber resilience, identifying the bar.
Business Value of Cyber Resilience articulated as your advantage, raising the bar.
Excellent Products and Services with customer and mission focus.
Self-Regulation through the demonstration of effective (measurable) policy and governance.
We are excited to take advantage of the Baldrige values of excellence especially when applied to cyber resilience
underpinning excellent products and services.
Sincerely,
Charles William Tupitza
Chief Executive Officer
The Global Forum for Advanced Cyber Resilience
202 839-5563
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
Comments of the Forum are highlighted below in yellow. By no means does this represent all things to consider. We need to start somewhere and our future collaborative sessions will contribute more input. This must be a living and continually improving approach to be effective.
Leadership: (1) How do your leaders’ actions demonstrate their commitment to CYBER RESILIENCE?
a) How do they know how to act? How do they receive guidance?
b) What PROCESS is in place to assure they are sending effective messaging to the company and CUSTOMERS?
(2) How do your leaders deploy the organization’s mission, vision, and values to the WORKFORCE to KEY SUPPLIERS
and PARTNERS, and to KEY CUSTOMERS and other STAKEHOLDERS, as appropriate?
a. How does the message of good cyber practice align and support this?
b. What does good look like?
c. Who is involved with collaboration and how?
(3) How do your leaders’ actions demonstrate their commitment to legal and ethical behavior?
a. How do they know the legal behavior to exhibit?
b. How are they held accountable?
c. How can they be protected from activities of those in the organization acting outside policy and reasonable
behavior?
(4) How do your leaders’ actions build CYBER RESILIENCE policies and operations that are successful now and in the
future?
a. How is success measured?
b. Who is involved with collaborating about this?
(5) How do your leaders communicate with and engage other organizational leaders, the WORKFORCE, and KEY
CUSTOMERS and STAKEHOLDERS regarding CYBER RESILIENCE?
a. How do they collaborate internally and externally to understand reasonable and prudent behavior across all
divisions of your organization?
(6) How do your leaders create a focus on action that will achieve the organization’s CYBER RESILIENCE OBJECTIVES in
alignment with its mission?
a. How do they collaborate internally and externally to understand reasonable and prudent behavior?
Governance and Social Responsibilities
(1) How does your organization ensure responsible governance of its CYBER RESILIENCE policies and operations?
(2) How do you address legal, regulatory, and community concerns with your CYBER RESILIENCE-related policies and
operations?
a. Do you actively collaborate internally and externally about this?
(3) How do you promote and ensure ethical behavior in all CYBER RESILIENCE -related interactions?
(4) How do you actively support and strengthen the CYBER RESILIENCE infrastructure of your KEY communities?
a. Do you share threat data?
b. Do you participate in collaborative events reviewing and improving Best practices and lessons learned?
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
Strategy:
Strategy Development
(1) How do you conduct your CYBER RESILIENCE STRATEGIC planning?
Provide artifacts of a disciplined approach.
What are the high-level objectives of cyber resilience within the organization?
What is the right balance between prevent, detect, and correct for this organization?
What are the most important strategic assets of the organization?
o What is the value to all stakeholders including customers, partners, and regulators? Define value.
How should organizational assets be classified, and who should do this?
o What is the willingness to accept, avoid, transfer, and or share each risk?
o How is it articulated?
What are the high-level security responsibilities of each group or team within the organization?
How should risks be assessed and managed, and who should be doing this?
(2) How do you ensure ALIGNMENT between your CYBER RESILIENCE STRATEGIC planning and your organization’s
overall STRATEGIC planning?
(3) How does your CYBER RESILIENCE strategy development PROCESS stimulate and incorporate innovation?
a. How does this enable you to do more, i.e. provide a better service for the customer?
(4) How do you collect and analyze relevant data and develop information for your CYBER RESILIENCE STRATEGIC
planning PROCESS?
a. How do you determine the base line and show Continual Improvement from strategy through Design,
Transition, and Operation?
(5) How do you decide which KEY CYBER RESILIENCE PROCESSES will be accomplished by your WORKFORCE and which
by external SUPPLIERS and PARTNERS?
a. Do you know who knows what? Do you understand the gap? Do you know how to train up existing
staff?
(6) What are your organization’s KEY CYBER RESILIENCE STRATEGIC OBJECTIVES and timetable for achieving them?
a. What does success (good) and progress (improvement) look like?
(7) How do your organization’s KEY CYBER RESILIENCE STRATEGIC OBJECTIVES relate to your organization’s overall
STRATEGIC OBJECTIVES?
a. How do you determine Reasonableness, Prudence, and Effectiveness?
(8) How do your CYBER RESILIENCE STRATEGIC OBJECTIVES achieve appropriate balance among varying and
potentially competing organizational needs, including the balance between CUSTOMER and STAKEHOLDER
requirements and business OBJECTIVES?
a. How are Cyber requirements articulated to the C suite?
(9) How is effective of Change Management culture in your organization?
a. Are Cyber Resilience considerations included with all changes?
(10) How do you utilize Continual Service Improvement associated with cyber resilience?
a. Who owns this process?
The Global Forum for Advanced Cyber Resilience 202 839-5563 Come down from the cyber summits to the fertile value of cyber collaboration.
Strategy Implementation:
(1) What are your KEY short- and longer-term CYBER RESILIENCE ACTION PLANS?
(2) How do you DEPLOY your CYBER RESILIENCE ACTION PLANS?
a. How is success measured?
b. How do you identify improvements needed?
(3) What are your KEY WORKFORCE plans to support your short- and longer-term CYBER RESILIENCE STRATEGIC
OBJECTIVES and ACTION PLANS?
a. Who is involved with internal and external collaboration?
b. What best practices, standards, and lessons learned are you following?
(4) What KEY PERFORMANCE MEASURES or INDICATORS do you use to track the achievement and EFFECTIVENESS of
your CYBER RESILIENCE ACTION PLANS?
a. Are they consistent across your organization?
b. Do you have a way to determine how you are doing against others in your sector?
(5) For these KEY PERFORMANCE MEASURES or INDICATORS, what are your PERFORMANCE PROJECTIONS for your
short- and longer-term planning horizons?
(6) How do you establish and implement modified CYBER RESILIENCE ACTION PLANS if circumstances require a shift in
plans and rapid execution of new plans?
1. Rationalization for use of ‘Cyber Resilience’ instead of ‘Cyber Security’ in this document When we use the term “cyber-security” thoughts are almost always centered on prevention and technology. This is
reinforced by articles like the Wall Street Journal article on Jan 18, 2016 titled: “How to Improve Cybersecurity? Just
Eliminate the Human Factor.” This is misleading and dangerous. Security alone is not a preventative; it is a delaying tactic
to keep “them” out long enough so when they get in, whatever you are trying to protect is no longer sensitive, and if they
are already in processes are in place to minimize the effect of the event(s).
Resilience has a different connotation including the ability to respond and recover quickly or easily from some set of
events or exposures. Cyber-resilience includes the life cycles reactions to prevent what you can, detect what can’t be
prevented, correct, and learn from the situation.
While some do include aspects of resilience in their approach to cyber-security, it is not a standard reaction. Without this
you do not have a reasonable approach. Cyber-resilience connotes a broader response utilizing technology and people
including “See something, say something.” Please consider changing references of cyber security to cyber-resilience
unless the intent is to focus purely and exclusively on technology and prevention.
In closing if you google “Cyber Security Summit” in quotes you will see 180,000+ mentions. Now Google “Cyber Resilience Business Value” you will get 8 results. (then read our footer)