Is There An Easier Way to Report to Execs?

Using the CSF Core Functions

Reading Time: 3 minutes

Implementing and/or improving a cybersecurity program takes leadership, support, and funding.  I created a 3-Year Cybersecurity Roadmap to focus the efforts of the Cybersecurity team, attain C-suite executive support, allocate resources, and attain funding.  To receive continued support and funding I am required to report on the maturation and effectiveness of our strategy.  If you’ve been in cybersecurity long enough then you know this is an ongoing challenge.  And if you’re familiar with the National Institute of Standards and Technology (NIST) Special Publications, then you also know NIST SP 800-53 Security and Privacy Controls for Federal Information Systems [URL] has over 300 security controls.  Attempting to explain the maturity of your cybersecurity program to executives using the NIST SP 800-53 control families and security controls would be enough to put your most technical engineers to sleep, so don’t.  After racking my brain trying to think of the best way to present this information, I stumbled upon the NIST Cybersecurity Framework (CSF).

The CSF was “created in response to Executive Order 13636, which aims to improve the security of the nation’s critical infrastructure from cyber attacks”.  Our organization doesn’t manage critical infrastructure however we adhere to NIST guidance and the CSF maps to NIST security controls provides a framework that is easy for people to digest.

The CSF Framework [] organizes basic cybersecurity activities into the five Core Functions Identify, Protect, Detect, Respond, and Recover.  Each Core Function is further broken down into Categories as seen below.  These Core Functions and Categories directly map to the NIST SP 800-53 controls.

Click Image to Enlarge

Figure 1 NIST CSF Core Functions and Categories

The question remains, how do I want to present the status of our cybersecurity program to the executives? In my case, I wanted to show how our security posture has [or has not] matured, from a security controls perspective, over time.  We used Initial, Current, Planned, and Target to show status and maturity of our program.  These categories translated to the year we started implementing the program [Initial], the current year [Current], and controls currently planned for on the roadmap [Planned], in relation to our target state [Target].

Next, I created the criteria to use within each category to depict the maturity.  This takes into consideration all the NIST SP 800-53 controls that we implemented during that time frame.  We used the following scale.

Click Image to Enlarge

Figure 2 Cybersecurity Rating Scale

To create the visuals for the presentation, I added each of the Core Functions and Categories into Excel and added a field for the ratings for each timeframe.

Click Image to Enlarge

Figure 3 CSF Core Function – Identify

Once the data was entered, I created and added radar charts to our presentation and provided additional contextual information. I did this for each of the CSF Core Functions.

Click Image to Enlarge

Figure 4 Identify Radar Chart

This presentation was well received by executives and we continue to use it to track our progress.  Are you doing anything similar or using a better framework?  Please comment and tell me about it.


Leave a Reply