Cybersecurity excellence builder: A free download from NIST

KNOWING IS HALF THE BATTLE. I never expected a cliché quote from my Saturday morning childhood cartoons (Yo Joe!) to be a solid recommendation that I use on a day-to-day basis. This advice is particularly true whenever dealing with strategic disciplines such as cybersecurity, risk management, IT service management, corporate governance or business continuity. Yet, the absence of structured information is one of the most usual concerns for organizations.


So, what is the excuse? In terms of good practices / standards there are more than enough publications that can be used by most organizations ensure a great/practical benefit for business.

For instance, COBIT 5 is one of the most reliable frameworks for measuring information security maturity/capabilities. Putting COBIT DSS05 (Manage Security Services) process to practice is one of the most effective ways to enable business in achieving an adequate data protection level.



Cobit 5 – Enabling processes – DSS05 RACI Chart

Aside from time-tested solutions, a new and free publication recently captured my attention. If you want a quick look at your cybersecurity maturity level, NIST’s Baldrige Cybersecurity Excellence Builder is a great self-test tool.

The current draft version was published by the National Institute of Standards and Technology (NIST) last September, and even as a draft, it has a simple yet very pragmatic approach. The whole idea is enabling organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes.

Using the self-assessment it is possible to:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve;
  • identify priorities for improvement.

The publication is straightforward, with easy to follow practices. Just one word of advice: as with any self-test, it is necessary to have some basic understanding on the evaluated topic, so someone with a reasonable cybersecurity experience should validate any results in order to avoid any misinterpretation or errors.


As mentioned before, the Baldrige Cybersecurity Excellence Builder is a free publication, and it can be downloaded HERE (warning: PDF).



Corporate Culture: It is a great information security tool. This is why you should not overlook it.

CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.

The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.


Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.

Read more