Which cybersecurity-related activities are most important to your business strategy and critical service delivery? How do you assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices? To answer these questions and build excellence in your cybersecurity risk management system, consider a self-assessment with a new tool called the Baldrige Cybersecurity Excellence Builder.

Organizations of all types are becoming more vulnerable to cyber threats due to their increasing dependence on computers, networks, programs, and applications, social media, and data. Security breaches can negatively impact organizations and their workforce, customers, and other stakeholders, with both financial and reputational damage potentially lasting many years. Balancing the conflicting demands of connectivity and accessibility with security, reliability, and confidentiality means that risk management and measuring the effectiveness of cybersecurity practices is critical.

And the situation is only going to get worse as the internet of things (IoT)becomes more critical for business owners to understand—and act on. “The internet of things is the encapsulation of the next-generation technologies that will touch nearly all facets of our day-to-day lives,” writes Chester Kennedy, CEO of the International Consortium for Advanced Manufacturing Research. “The arrival of the sensor era is happening at a frenetic pace.”

The Baldrige Cybersecurity Excellence Builder tool enables organizations to better understand and improve the effectiveness of their cybersecurity risk-management efforts in light of these new vulnerabilities. This voluntary self-assessment tool is based on the detailed Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), managed by the National Institute of Standards and Technology (NIST) Information Technology Laboratory, Applied Cybersecurity Division, and the Baldrige Excellence Framework, developed by the Baldrige Performance Excellence Program.

What makes the Builder different from various other self-assessment tools? By combining concepts in the Cybersecurity Framework and the Baldrige Framework, it:
• Focuses on how your management of cybersecurity risk affects and is affected by every part of your organization—your leaders and their actions, your strategy, your customers, and your workforce, as well as your cybersecurity operations. Thus, your organization is encouraged to develop integrated cyber-related approaches that are aligned with its needs in all these areas.
• Focuses on measuring the effectiveness and efficiency of your cybersecurity-related approaches in all areas of your organization and on evaluating the results they achieve. This helps you to recognize the cause-and-effect links between your approaches and your cybersecurity-related results.
• Serves as a “door” to the comprehensive standards, guidelines, practices, and references in the Cybersecurity Framework, and helps you assess how effectively you are using it.
• Is adaptable and scalable. It can be used whether your organization is small or large; is involved in service, manufacturing, government or nonprofit activities, healthcare, or education; or has one office or multiple sites across the globe. It is most valuable as a voluntary assessment of an entire organization’s cybersecurity risk-management program, but it is also useful in assessing a subunit, multiple subunits, or parts of an organization.

The Builder includes an “Organizational Context” section and six interrelated process categories and a results category:
• Leadership
• Strategy
• Customers
• Measurement, analysis, and knowledge
• Management
• Workforce
• Operations
• Results

By challenging yourself with the questions that make up the Builder, you explore how you are accomplishing what is important to your organization’s cybersecurity risk-management system.

Use the Builder to achieve the following:
• Improve communication. The Builder can help by creating a common language for assessment and improvement of your cybersecurity risk-management system.
• Conduct an initial assessment by answering the questions in the “Organizational Context” section. If you identify topics for which conflicting, little, or no information is available, use these topics for action planning.
• Conduct a full self-assessment of your cybersecurity risk-management system.
• Apply the assessment rubric to determine whether your organization’s cybersecurity maturity level is reactive, early, mature, or role model. The completed evaluation can lead to an action plan for implementing improvements.

To learn more:
• Download the Baldrige Cybersecurity Excellence Builder.
• Read the FAQs about the Baldrige Cybersecurity Initiative.
• Learn more about the NIST Cybersecurity Framework and its voluntary guidance, based on existing standards, guidelines, and practices.
• Ask questions of the Baldrige Program (301–975–2036; baldrige@nist.gov).

If you use the Builder, we invite you to submit lessons learned and comments here.