How can Group Support Systems & Canvas modeling help with implementing Cybersecurity in Mid-sized companies?

Yuri Bobbert and Vincent van Dijk | January 18, 2023

Nowadays, company owners have difficulty grasping the topic “Cybersecurity.” What is it, and what is the difference compared to the earlier terms like “Information Security”? When we explain it simply to directors and boards that “Cybersecurity” has to do with securing your assets from potential cyber risks such as hacks, automated attacks, drive-by attacks, phishing, etc. In previous research and books, we elaborated on the shift from IT security to Business Information Security. Where, in essence, the business owns the data, and the IT or security department facilitates the protection of these assets via processes and tools. But what processes and tools to choose when you don’t want to suffocate your organization with jargon and controls? In this blog, we elaborate on how a simple Management approach such as Business Model Canvas can support you and your organization in defining the right level of security. And how you can develop your roadmap based on your strategic goals.

Changing Landscapes of directivesCybersecurity and Information Security have been on the agenda of European Union leaders since the establishment of the “EU cybersecurity strategy” in 2013. This led to the General Data protection regulation (GDPR) and the development of other international and national legislation. Such as NIS and The new directive, called 'NIS2', which will replace the current directive on the security of network and information systems (the NIS directive). In 2022, the NIS 2 was extended with 8 other sectors: space, digital services and others.

This change is sought-after because the European organization allocates 41% less to cybersecurity than their US counterparts on average. Today's business environment is complex and challenging to predict, so European companies must build the necessary cyber resilience to stay afloat and compete against global competition. But how do you distill what is essential for your organization?

Well, the Center for Internet Security developed a Framework of controls that is unique in its approach. You can start with the basics and build from there towards a more exhaustive level of security on more parts of the enterprise.

Business Modelling + CIS ControlsCybersecurity strategies must also be simple and flexible to adapt to the dynamic nature of existing and future risks organizations pose. Our recent research proposed a new method, easy to understand by business people and easy to digest without loads of controls. We coined it: the Cybersecurity Canvas model.

Canvas modeling helps you, on the one hand, to model your organizational goals and business drivers, and on the other hand, it allows you to assess your preparedness against cyber risks. The simplicity of the canvas way of modeling risks versus security controls enables you, as manager or owner, to keep oversight over security management. With the canvas, it becomes easier to explain how security technology helps to mitigate security-related risks.

Security professionals can use the canvas to identify the security requirements and determine security measures in a collective manner with business management. The canvas functions like a brain. With a left and a right side. The left side of the canvas is concerned with the security requirements (The Why and What), while the right is concerned with operations (tools and processes), basically, How we do things.

The Cybersecurity Canvas modelThe CIS Controls is an excellent framework for the right side of the canvas. The controls framework provides a simple yet comprehensive set of controls to design your security operations. Controls such as incident response, access control and others can be selected from the CIS Controls placed on the right side on the canvas.

The CIS Critical Security Controls is a globally recognized Cybersecurity Framework of governance to improve yourself against cyber risk and institutionalize the Information Security function of an organization. With Institutionalize, we mean to make it a formal management practice rather than an ad-hoc activity or one project. Because that will never lead to a structural improvement, we learned the same lesson in financial management three decades ago with “informal and poor governance practices” that led to scandals at Enron, WorldCom, Ahold, and Landis, and formal control frameworks were introduced such as GAAP and SOX. This gave a vast quality impulse to the industry and financial management scholars. The same is needed to prevent Cyber catastrophes impacting the perceived value of the firm [1].

From Crossing the silos to breaking themThe familiar pitfall security professionals make, similar to those observed when implementing SOX controls in the silos of financial management, is to design and implement security controls in the silo of IT. We still see security professionals making the mistake of putting too little, poorly configured, or too many controls on an asset. The key word here is proportionality. Just enough so it covers the risk and is still affordable for the asset owner. As already mentioned, CIS provides you with a basic set of controls called “Implementation group 1,” which is basically suitable for organizations with limited resources and expertise to implement entire frameworks. Implementation Groups 2 and 3 are more advanced. But how do you determine this proportionality together with the relevant stakeholders such as process owners, risk owners, privacy officers, IT people, and perhaps marketing or sales if it concerns revenue-generating assets such as CRM that hold personal data? This approach requires cross-silo collaboration. Over the years, Group Support System (GSS) techniques have been used successfully to develop and scrutinize a mutually approved strategy or plan. A GSS-based assessment method focusses on getting a collective view of the current and desired state, in this case, per CIS Implementation Groups (ISG). A self-assessment or even a one-on-one assessment has limitations such as individual bias, pretending your situation is better than it is, lying about the problem [1], or lack of interaction and discussion between stakeholders with another opinion or (outside in) view.

It is the “collective brain” of the group which is mobilized via GSS to establish a more sincere view of the current situation and, at the same time, develop a feasible perspective on the desired situation. And what is needed to get to this desired situation? Academic research [2] has proven that conducting a collective GSS-based strategy assessment contributes in:

a. an improved discussion to generate unique and valid viewpoints and ideas leading to a representative view of the situation. The significant variance between participants is discussed and (re)voted (if needed) to gain consensus.

b. the group scrutiny leads to a more qualitative view and understanding, resulting in knowledge transfers and an increase of awareness (for example, about accountability and responsibility)

c. collectively committing to a goal, roadmap, and (actions) ownership leads to a more sustainable implementation of the strategy and breaks organizational silos.

In the visual below we see a snap shot of one control that has been assessed by the group. The dark pillar represents the score per CIS control and the light orange pillar reflects the variability in the group. This allows the group facilitator to immediately zoom into these large variances in the group in order to understand the cause, motivations or view points. After the discussion and sharing of thoughts the facilitator can revoke the votes and ask the participants to revote in order to get a more valid and trustworthy result. In science we refer to the Double Loop Learning effect [3].

Where and how to start?You can already start easily with this collaborative way of working.

- Register your trial license at https://meetingwizard.nl and use the off-the-self CIS Controls assessment tool. Offered via the library function in the tool.

- Involve and invite the stakeholders into a meeting to perform the assessment. Discuss intermediate scores and zoom in on variances in the group and discuss the results.

- Collect the assessment results directly after the session and consolidate them within a Cybersecurity Canvas. You can download the free version from: https://www.securityscientist.net/blog/research-a-cybersecurity-standard-for-sme/ or set up your own canvas in Powerpoint or Canva tools.

The results are astonishing; the exchange of knowledge between participants gets rid of all the fuzzy terminology and jargon. This brings the discussion to the essence of the meeting, being defined as proportional security based on a globally accepted framework of essential controls. The Canvas model re-uses existing management approaches and terms that are common in any board room, and the visualization of the “Brain” into operational tools and processes supports the marketing and communication of the message.