The Cloud Experience Everywhere

8 tips to help you build your cybersecurity risk management framework

Adopting and leveraging a holistic approach like the NIST Cybersecurity Framework is a smart idea—protecting your organization from cyber threats is vital. Here are some key considerations you may want to keep in mind, and how HPE Education Services can help.

HPE-Education-Services-Cybersecurity-Certification.pngIf your organization is developing a strategy to effectively manage cyber risk, then adopting a cyber risk framework is vital. Here are eight tips that may help you avoid pitfalls and improve your cyber resilience.

Organizations employ numerous cyber security risk management capabilities—but without an overarching cyber risk framework, they fall short of implementing a holistic approach which serves to “pull it all together.” Although there are many frameworks at your disposal, the NIST Cybersecurity Framework (NIST-CSF) is especially useful to help coordinate different focus areas, perform gap analysis, and identify and prioritize areas of improvement.

The following best practices will help your organization effectively implement a robust cybersecurity risk management framework.


 Source: HPE NIST Cybersecurity Professional (NCSP) Certification Training

1. Align all levels of your organization – beginning at the top

The primary objective of adopting a framework like the NIST Cybersecurity Framework should be to facilitate meaningful conversations among all stakeholders across your organization—this should include the board of directors, executive leadership, and senior management, as well as the line of business teams and other stakeholders with a vested interest. This ensures that the appropriate levels of visibility and awareness are consulted as the organization makes informed decisions about cyber risk investments and commitments.

The decision to adopt the framework must extend beyond IT stakeholders to include members of the board or senior business management level executives; they also need to support and communicate the importance of adopting a cyber risk framework.

It is also essential that the majority (if not all) of your IT department and business liaison personnel have an understanding of cybersecurity risk management and the steps your organization is taking to address this. Why? Simply because when people understand the aims and goals of others in the organization, you are more likely to get their buy-in and support, even if they're not directly involved. Also, while they may not like having to follow a security control, they now understand why, and they realize the value it delivers to the organization.

HPE’s training and certification program starts with a Foundation certification that facilitates this requirement – more on that in a moment.

2. Use NIST-CSF Core Functions

The NIST-CSF acts as a comprehensive set of steps that your organization can take to ensure that cyber risk is assessed. It uses functional and straightforward best practices, explained with easy-to-interpret business language, to outline the Core Functions of your organization’s unique cybersecurity risk management framework.

Core Functions address the following:

How do we identify what requires protection?

- What is its value to the organization?

What protection is required to mitigate the risk?

What levels of resilience should be built in the face of these cyber threats?

How quickly can we detect that our protections have failed?

How quickly can we respond to limit or avoid damage?

How quickly can we fully recover?

Core Functions dramatically improve senior leadership's understanding of the strategic outcomes and interdependencies across your enterprise. By using Core Functions, you can facilitate discussions about different sets of cyber risk controls, better understand your organization’s cyber risk profile, and ensure that you have a sufficient balance of controls.

3. Build awareness

It is important to assess controls, identify and execute improvements, and respond to changes in vulnerabilities, threats, risks, and asset value. While carrying out this work, your organization could still experience a cyber incident at any time, so you need to be prepared. A robust playbook of responses or policies to address the most likely types of cyber incidents, including remedial actions, is required.

A good pre-cursor or parallel activity is to implement an effective awareness program. This not only demonstrates commitment to cybersecurity defense across your organization, but it also provides a level of improved protection throughout your journey.

By improving security awareness, employees are empowered to move from being a source of vulnerability to becoming the first line of defense (what I like to call “human firewalls”). A security-aware workforce can become an asset and is an essential building block of your cyber defense. Learn more in my previous post: Cyber Security Awareness: How to Establish an Effective Program.

4. Understand, assess, and prioritize

The NCSP® (NIST Cybersecurity Professional) certification program is designed to provide the knowledge, skills, and capability your organization needs to build a roadmap for your cybersecurity journey. This is similar to what ITIL® does for service management: ITIL provides a common structured understanding and approach to an organization’s operating model.

The first step for the cybersecurity team is to understand your organization’s needs and desired outcomes. Then, the team must assess various risks and consider the controls needed to mitigate those risks, while at the same time evaluating the impact of the controls on the organization’s ability to achieve desired outcomes. Finally, the team needs to set out a program of improvements that prioritizes actions identified as most important to the organization, such as protecting revenue streams or reducing the risk to growth initiatives.

This is a lot of work and should not be underestimated in terms of knowledge, skills, abilities, time, and resources required. Having an approved, workable plan is critical to your success

5. Be agile, unconstrained, and innovative

Cyber risk is a constantly moving and evolving target. This means that all vulnerabilities, threats, and threat actors will change, as will the assets that your organization needs to protect.

It is essential that your organization does not look upon cybersecurity as a ‘one-time project’ with ‘one-time funding.’ It needs to be inherently part of your business strategy.

Your cybersecurity strategy must be an ongoing priority, with continual improvement and innovation to ensure that the scope and mitigation of risk evolves to meet the changing threats to your organization. (‘Plan, Do, Check, Act’ is a well-known process to follow.

6. Adopt and adapt

Adopting and adapting the framework to suit your organization are keys to your success. Keep in mind that frameworks are guidance—not the law. Best practices like the NIST-CSF and ITIL® are proven to work for many organizations; however, they are not “silver bullets” or panaceas—so constant scrutiny and review is needed to decide what works best for your organization now and in the future.

7. Create competitive advantage

A robust and pragmatic cybersecurity risk management program provides an opportunity to gain competitive advantage.

For example, an organization that has, or is part of, a supply chain that decides to adopt the Cyber Supply Chain Risk Management (C-SCRM) security controls, can be independently audited using the Cybersecurity Maturity Model Certification (CMMC). This certification provides a level of comfort to customers and fellow suppliers, generating a competitive edge and, ultimately, more business.

This is similar to what we see with the increased adoption of Zero Trust. Not only do organizations gain a greater level of protection for themselves and their customers, they achieve a “badge of commitment,” visible to everyone, that they can use to promote and market themselves.

8. Leverage HPE Education Services training and certification support.

HPE offers NIST Cybersecurity Professional (NCSP®) Certification training and exam preparation in a variety of delivery formats—eLearning, traditional classroom-based training, and virtual instructor-led training (VILT).


Learn more about the award-wining NCSP certification courses from HPE:

Provides a common language and a fundamental understanding of cybersecurity risk management and the NIST-CSF.

How to approach, design and build a comprehensive cybersecurity and risk management program based on the NIST-CSF.

Foundation and Practitioner combined.

Additionally, NCSP Specialist Courses are expected to be released in October 2021.

Reinforce your cyber-resilience with HPE

HPE has industry-recognized expertise in security, risk and compliance services (part of HPE Advisory and Professional Services). We have exceptional expertise when it comes to assisting organizations with defending or recovering from cyber threats and attacks.

Learn more about HPE Advisory and Professional Services designed to improve cyber-resilience:

  1. HPE GreenLake Cloud Services - Security Risk and Compliance Practice
  2. HPE Advisory and Professional Services security consulting  
  3. HPE Server Security and Infrastructure Security Solutions
  4. Cybersecurity Training from HPE Education Services

Or contact HPE to start a conversation.

Get ready for October Cybersecurity Month

As a thank-you for reading this blog and to celebrate the annual “October Cybersecurity Month,” please click this link to win a free copy of our one-hour eLearning, NCSP Awareness.


John F McDermott.jpg

John F McDermott manages the HPE worldwide portfolio for cybersecurity education, training and certification. For the past five years, he has brought his 35+ years’ experience in IT Service Management best practices to the cybersecurity world.

Contact John on Linkedin and on Twitter.


NCSP 1.pngCybersecurity award.pngCybersecurity excellence award.pngCybersecurity award 2.png


Services Experts
Hewlett Packard Enterprise

About the Author


HPE Pointnext Services experts share their insights on the topics and technologies that matter most for your business.


Thank You for sending 8 tips to help you build your cybersecurity risk management framework through mail. it's really informative.