5 Pillars of Building Your Cybersecurity Roadmap

October 19, 2022

Brian Scott

Brian Scott, president and founder of ClearTone Consulting, provides executive technology consulting services based on 35 years of technology expertise and 20 years of CIO/CISO experience within the exhibitions and events industry. Brian provides expert technology consultation in the areas of technology strategy, software development, systems integration, data warehousing and analytics, cyber security, data center operations, cloud computing, and end user support. He works with his customers to overcome technology challenges, leverage tech to drive growth and revenue, secure valuable digital assets, and execute projects to meet the organizational objectives.

On February 12, 2013, Executive Order No. 13636, aptly named “Improving Critical Infrastructure Cybersecurity,” was signed by President Obama. From this executive order, the National Institute of Standards and Technology (NIST) was tasked with the development of what has become the granddaddy of cybersecurity frameworks. You won’t find a security professional alive that doesn’t have a love-hate relationship with the NIST framework.

Mention the term “cybersecurity framework” with most business folks, including presidents and CEOs, and you’re likely to see eyes glazing over before long. I get it. That topic has three ingredients that make for a pretty dry discussion: cybersecurity, framework and government-made. I was not born a fan of compliance frameworks. In fact, it took many years of having to deal with security as a function of my responsibilities to develop the appreciation that I now have. Yes, I’m a cyber-geek.

Don’t get me wrong, I’m actually not a huge fan of the NIST Cybersecurity Framework (CSF).  It reads as if it were born from a government entity. As good of a job that NIST did, and they did an outstanding job, it still has government written all over it. There are several other frameworks out there today, and my favorite, in fact, was developed by a completely different approach and doesn’t have the government-made feel. The Center for Internet Security’s (CIS) Critical Controls were created with the input of thousands of experienced cybersecurity professionals and makes a great deal of sense and is organized in a way that easily translates to organizations of all sizes and types. If you’re in the biz, it’s very cool stuff. But I digress, let’s get back to NIST.

NIST 800-171, the framework suggested for non-governmental organizations, consists of 110 controls. That’s a lot of controls, right? So now I’m getting to my point. With so many controls, NIST knew it would make sense to categorize these controls into groups that they call functions. Their five functions are the highest level of abstraction of the framework and represent the five pillars that every organization should use to build their cybersecurity roadmap.

I’ll briefly mention each of these for the benefit of all the non-IT readers, so you can begin to understand how cybersecurity professionals think about the fight that they are fighting. And believe me, they are fighting a battle that is real and ever-present. You may not have realized it yet, but from a cyber-perspective, your organization is smack in the middle of a raging battlefield, and there are companies all around you that are catching shrapnel, being attacked and unfortunately, critically wounded in many cases. If you haven’t had the cyber-shrapnel bounce off your proverbial helmet yet, it’s only a matter of time.

So what are these five functions, and why do they make so much sense? Let’s dig in. 

1. Identify

The first is “Identify.” This may sound like a no-brainer, but you’d be absolutely shocked at how many organizations are weak in this area. Identify is all about developing an understanding of systems, people, assets and data in order to properly manage the cybersecurity risk. Peter Drucker famously said, “If you can’t measure it, you can’t manage it.” Cybersecurity professionals resoundingly agree. How can your team know to check if software is upgraded if they don’t know the software exists? How can they know if an account being used within your network is legitimate if there is no list of legitimate accounts? If you can’t list it, you can’t protect it!

I warned you it was a no-brainer. If we don’t have a documented list of people, accounts, hardware devices and approved software, how can any team adequately put together a plan to protect it?  But surprisingly, something as easy as this is often overlooked by busy IT groups that are trying their best to do the other tasks you’ve asked them to do. It’s far too easy to intend to create or update a hardware and software inventory, but let it fall aside because that member list has to get to marketing like it was yesterday. Identify is core to all the other functions.

2. Protect

The next function is “Protect.” Well, that was easy. Just protect everything, and we’re good, right? I wish it were that easy. The Protect function can be difficult, as there is so much change in our environments. Included in this area are tasks such as using proper access control procedures, building your “human firewall” with staff awareness training, configuring network firewalls, patching every piece of software and operating system in use and ensuring that your endpoint protection is best-in-class. Believe me, there’s a lot to execute in this area.

3. Detect

Next up is “Detect.” If your organization’s perimeter protections were breached, likely because of unmitigated known vulnerabilities, then a solid “defense-in-depth” strategy means you will need systems in place that can detect bad actors in your environment. The cornerstone of detection is monitoring which means utilizing automated systems, often leveraging artificial intelligence (AI), to spot malicious activity. This area is most often outsourced due to the labor and expense required to execute it yourself.

4. Respond

In the event malicious activity has been detected in your environment, guess what? You will need to “Respond,” which is the fourth NIST function. This function requires the deployment of systems and processes that allow taking action against an attack. This often includes isolating the danger, managing communications, analysis and finally, mitigation activities. These activities are often managed by an organization’s Managed Service Provider (MSP) or even better, an Incident Response (IR) Service Vendor. An IR vendor can manage the analysis, containment, eradication and even recovery from a cybersecurity incident.

5. Recovery

Speaking of “Recovery,” we’ve finally reached the final NIST function. Yes, after you’ve set the bug-bomb off in the house to kill the breaching critters, you need to move the furniture back in and uncover everything you’ve protected with plastic wrap. Bringing things back online, recovering systems and data from backup copies and informing staff, customers and members are all part of this function.

So, we made it! There is a huge amount of knowledge, systems, implementation and effort involved in covering all the bases in each of these areas. Luckily, there are also priorities and low-hanging fruit that should be addressed first to get the most bang for your buck. The biggest part of this entire cybersecurity circus is knowing where you currently stand regarding risks and having a plan for covering as much ground as efficiently as possible. The 80/20 rule is alive and kicking in the cybersecurity world!

Don’t miss any event-related news: Sign up for our weekly e-newsletter HERE, listen to our latest podcast HERE and engage with us on Twitter, Facebook, LinkedIn and Instagram!

Add new comment

Partner Voices
Just when it seems like Las Vegas can’t get any bigger, brighter or more exciting for groups, MGM Resorts raises the bar again. The company continues to invest and innovate across its portfolio of Las Vegas resorts, with new attractions and upgraded experiences for attendees of all interests.  Remodeled Guest Rooms MGM Grand is the largest single hotel in the world with over 5,000 guest rooms and an 850,000-square-foot conference center. It is home to the newly remodeled MGM Grand Studio Tower—700 reimagined guest rooms with a fun mid-century vibe. Nearby, the iconic New York-New York Las Vegas Hotel & Casino recently completed a $63M redesign and remodel of its 1,830 guest rooms and 155 suites. Down the street, Bellagio Las Vegas is sporting renovated rooms in the Spa Tower with sunrise-inspired decor and luxurious soaking tubs in Premier King rooms after a $110-million transformation. Reinvented Luxury Experiences The Luxury Meetings District, made up of Bellagio Las Vegas, ARIA Resort & Casino, Vdara Hotel & Spa, The Cosmopolitan of Las Vegas, Park MGM and NoMad Las Vegas, is now more connected than ever before. A new interior walkway opened this October for a seamless attendee experience – connecting Vdara, Bellagio, and The Cosmopolitan of Las Vegas, guests can now walk from Park MGM to Bellagio in around 15 minutes. New on the scene in the Luxury Meetings District is Cathedrale at ARIA, TAO Group’s upscale establishment specializing in exquisite French-Mediterranean cuisine offering elevated private dining experiences that opened in May. Heralded by World’s Best 50 Restaurants, GQ and VOGUE, LPM at The Cosmopolitan of Las Vegas is opening this fall and will deliver its signature spontaneity and imaginative celebration of France’s Mediterranean cuisine, art, and culture to the unique luxury resort in impeccable fashion.  A “New Wave  for Mandalay Bay A new wave of enhancements and experiences has arrived at Mandalay Bay Resort and Casino, including Flanker Kitchen + Sports Bar, an 8,445-square-foot restaurant that opened this June, perfect for pre- and post-game eats and drinks. Event planner’s favorite, Chef Michael Mina’s StripSteak, received a full renovation and now includes one of the largest private dining rooms on The Strip. Retro by Voltaggio debuts a one-year residency with a fun take on pop culture of the 80s and 90s with classic American dishes. An exciting addition planned for 2024 is Swingers, a 40,000-square-foot oasis of street food, miniature golf and art at Mandalay Bay. Most exciting for meeting planners, the 2.1 million-square-foot Mandalay Bay Convention Center  is undergoing a complete refresh, with lightened space, added eye-catching art, and improved technology infrastructure for even more flexible space. Energy-efficient digital signage now leads the way with faster internet speeds and new AV options. From renovated guest rooms and meeting spaces to celebrated dining options and dedicated teams, MGM Resorts is dedicated to delivering exceptional and innovative meeting experiences.