Several years ago, cybersecurity was not even on the radar ofmost companies and their boards.

Over the past several years after countless fiascoes and crisesimpacting companies of every size and scope, cybersecurity hassteadily risen as a priority and emerged as an integral aspect of aboard of director's duty of care and oversight to the company itoversees.

Related: It's not just cybercriminals: Insider threats stilla top cyber risk for corporations

As cyberthreats continuously evolve, develop and change,management is inundated with guidance on oversight, training, andany number of technical and procedural controls necessary toimprove the company's security posture. In addition to the fastpace of evolution in cybersecurity, a recent trend of high profiledata breaches and cyberincidents has put boards of directors onhigh alert for very specific threats, for example, Wannacry and thethreat of ransomware.

Continuous monitoring

While this increased attention and scrutiny is important, andsalubriously inspires many companies to better their cybersecuritypostures, this granular focus runs the risk of missing the forestfor the trees. While an understanding of technical controls andspecific risks is integral to any cybersecurity program, it'simportant to understand that there is a greater principle afoot:namely that cybersecurity is not a binary state (secure orinsecure), but rather it is a continuous, iterative, dynamicprocess.

Thus, if we, whether on the level of a single company or thebroader community as a whole, are to stand any chance ofmeaningfully moving the ball forward, we must develop a clearerconception of the nature of cybersecurity, the goals that acybersecurity program must pursue, and the methodologies that mustbe implemented to accomplish them.

Industry standards

To better understand what this means, we can look to industrystandards, one of the best being the CybersecurityFramework (CSF) of the National Institute of Standards andTechnology (NIST). The CSF was created pursuant to an executive order issued in February 2014, by PresidentBarack Obama, which called for the “the development of a frameworkto reduce cyberrisks to critical infrastructure.”

The goal of the CSF was to create “a set of standards,methodologies, procedures and processes that align policy, businessand technological approaches to address cyberrisks.” The firstversion of the CSF was released in February 2014, and it wasquickly adopted by its target market, U.S. criticalinfrastructure, but the CSF is more broadly applicable.

Related: Top cyber risks businesses should prepare for in2018

The CSF is neither industry nor size specific and the generalprinciples and processes it promulgates for identifying,understanding, and safeguarding against cyberrisks are just asapplicable to a local or regional company as they are to aninternational financial institution or technology company.

3 core elements

The CSF consists of three core elements:

(1) the framework core;

(2) framework profiles, and the subject of ourinquiry;

(3) framework implementation tiers.

The CSF implementation tiers provide context on how anorganization views cybersecurity risk and the processes in place tomanage that risk. Tiers describe the degree to which anorganization's cybersecurity risk management practices exhibitthe characteristics defined in the framework (e.g., risk andthreat aware, repeatable and adaptive). The tiers characterize anorganization's practices over a range, from partial (Tier 1) toadaptive (Tier 4).

Simply put, the tiers represent a spectrum of how well yourorganization understands, guards against, and responds tocyberrisk. The tiers are routinized and standardized acrossindustries and verticals which allows companies, engineers andmanagers to speak a common language both with regards to theirrespective security postures and with regards to the best routes todevelop and improve their postures.

Related: NAIC adopts model law on cybersecurity: Will statesadopt it?

While the CSF implementation tiers play an integral role inhelping an organization understand its own posture, and in settinggoals for future development, they serve just as important a rolein facilitating a clearer understanding of a company'scybersecurity development and goals for the company's nontechnicalmanagement and directors.

Most effective security measures

The temptation to view cybersecurity as a binary question isparticularly strong when it relates to a specific threat. Forexample, a corporate manager might ask whether or not the companyis secure from the NotPetya Ransomware. While the answers to suchquestions are sometimes technically difficult to ascertain, theycan only be definitively answered in certain scenarios.

Furthermore, the answer, even when it is determinate and binary,can be misleading and counterproductive. If the technical staffreports to the manager that the company is, in fact, secure fromNotPetya, the company will be much less likely to take a holisticinventory of its readiness for the broader attack vector ofransomware in general and to take the most effective measures toprepare the company to secure itself against the broader categoryof attack.

Thus, asking the wrong questions can be, not merely, unhelpful,but can actively complicate the process of most effectivelypursuing the development of a company's cybersecurity posture.

In the CSF implementation tiers, there are four different phasesa company can be in: (1) partial, (2) risk informed, (3)repeatable, and (4) adaptive. It's important to note that there isno language about secure or insecure, rather the language centerson an organization's integration of business, risk andcybersecurity. It also accounts for the distinctions between thecircumstances and finances of each individual company and affordsthem some degree of ability to balance between the company'sfinancial means and cybersecurity needs.

Cybersecurity postures for risk management

The CSF implementation tiers represent a spectrum of possiblecybersecurity postures, on one end of the spectrum is the partialtier. The partial tier generally encompasses those companies thatdeal with cybersecurity on an ad-hoc basis, with a limited generalawareness towards cyber risk and its potential impact on theirbusiness.

In these circumstances, cybersecurity is dealt with on abreak-fix basis, meaning that it is only dealt with when somethinghas broken down and the company has discovered that it has beencompromised. Companies in this stage fail to effectively engagewith the risks they face and to position themselves to effectivelyrecover once an incident has occurred.

Related: 8 cyber preparedness best practices forbusinesses

The second tier, risk informed, takes a slight step up frompartial, whereby an organization may not thoroughly formalize theirpractices, but they are beginning to conceptualize cybersecurity asa process and not as a break-fix binary and also the essential factthat cybersecurity is relevant consideration for theirorganization.

The repeatable tier takes this a step further, indicating thatcompanies have formalized these processes and that they areregularly updated based on developments in the cybersecuritylandscape. It includes a meaningful degree of buy-in from corporatedecision makers and meaningful training and preparation forstaff.

Finally, the adaptive tier is achieved once a company has robustand regularly verified and validated cybersecurity processes,procedures, and technologies. Cybersecurity has become an elementof company culture and is regularly updated based on developmentsin the landscape and on predictive indicators that are tailored tothe specifics of the company.

Nimbly respond to broad spectrum of risks

There many lessons to be learned from analyzing the CSFimplementation tiers, from direct management involvement andoversight to developing cultural awareness to the adoption ofpolicies, procedures and technologies, but what is most importantare the words that are not included in the tiers: secure,defensible, threat elimination. These are absent because a robust,well managed, and carefully considered cybersecurity posture doesnot seek to achieve absolute security because this is an impossiblegoal. Rather, such a policy seeks to ensure that an organizationcan nimbly and effectively respond to a broad spectrum ofcybersecurity threats.

Related: Cyber liability insurance market: Equal partspromise and peril

To pull from the age-old fable of the willow and the oak, if anorganization seeks to stiffly apply specific controls they willinevitably be felled, whether by a new emerging threat or someother instance of failure. If, however, a company is able to adaptand apply cybersecurity principles dynamically, throughout theentire enterprise, they will be able to withstand any storm.

For a further illustration of this point, one need only look atthe titles of the CSF Implementation Tiers, namely that the highesttier is adaptive, meaning that an ideal posture is one thatrecognizes the ever-changing landscape of cyberthreats, and caninternalize the evolution of the threat environment, apply it toits own, unique context, and nimbly adapt and react to thesedevelopments at the institutional level.

'Loaded issue'

Cybersecurity can often be a loaded issue that pulls from a widevariety of elements within an organization. It implicates everyonefrom the directors and managers to the technicians and employees.Directors are often charged without oversight of this process,which does require careful attention, but this detail-orientedapproach sometimes risks missing the forest for the trees. Toprevent this, it is essential to clearly conceptualize the goals ofa “good” cybersecurity program.

The CSF implementation tiers are by no means the only toolavailable to help understand these goals, but they do present acoherent, logical and understandable framework for setting goals,at a macro-level for one's organization.

Barry and Benjamin Dynkin are co-executive directors ofthe American CybersecurityInstitute and co-founders of AtlasCybersecurity.