So, I’ve recently written up two separate pieces talking about Business Security, Frameworks, Cybersecurity.  One is for <UNDISCLOSED>, the other is for CForum (hey, I was the next highlighted blog post after Ron Gula’s!).  Let me know what you think of them, they’re below.  (Also, two posts more directly about the new NIST Framework and the DHS Voluntary Program are HERE and HERE)


Cybersecurity is, broadly, the enablement of an environment in which business objectives are sustainably achievable in the face of continuous risk resulting from the use of cyber systems.

The risks from using cyber systems usually take the form of actors desiring to use those systems as a means of repurposing business value chains to alter the value produced, inhibit the value produced, or producing new value in support of actor objectives.

Managing these risks involves two focus areas:

  1. Creating a business environment which limits the window of opportunity provided to actors in which to achieve their objectives
  2. Executing a security-specific program that is able to identify, mitigate, and respond to actor activity which is occurs within the remaining window of opportunity.

Leaving the business environment unmanaged provides a large continuous window of opportunity which is, at best, not cost effective for security-specific programs to effectively respond to.  At worst, the window of opportunity created by an unmanaged business environment leaves the window of opportunity too wide for security-specific programs to protect, even with excessive financial investment.

On the other hand, no organization can manage its business environment and reduces actor opportunities sufficiently to remove the need for security-specific programs.

Both focus areas must be addressed for sustainable, effective, cost-limited cybersecurity and the NIST Framework can help with both.

Cybersecurity Frameworks, generically may provide business value to an organization in three ways:

  1. Scope and Completeness Assessment
  2. Coverage Validation
  3. Efficacy Testing

In the case of security-specific programs, the NIST Framework can be used directly as a positive model for determining program scope and completeness, it can (using the tier model) be augmented with additional information to assist with security program coverage validation, and it can play a role within a larger model in testing efficacy of security program efforts.

Within the business environment focus area, the NIST Framework can also play a supporting role as a negative model to help determine areas which must be better controlled by the business before security-specific programs can effectively manage residual cybersecurity risk flowing down from that environment.

While XYZ is focusing specifically on the former, security-program specific, focus area, its resulting efforts can, with forethought, go a long way to providing a foundation for the less-well explored area of cybersecurity risk reduction through business environment management and lead us toward the kind of comprehensive cybersecurity risk management approaches that will, over time, reduce our risk across organizations, the sector, and the nation sustainably, cost effectively, and independent of increases in complexity and changes in actor behavior.


What’s next? 

This is a question on all of our minds – not just for the Framework but also cybersecurity more generally.

Executives have started to get on board, the press is paying attention, manufacturers are starting to include security in their ICS products, grass roots organizations such as I Am The Cavalry and others are forming to help to move Automotive and Medical Device security forward, the White House has issued the Executive Order, Congressional staff discusses cybersecurity regularly, and together we have created a common practice consensus “flag” with the NIST Framework, and this very forum now exists to help us collaborate more effectively.

So, how do we use this momentum to continue to move forward coherently toward sustained risk reduction?

I’ve heard a lot of good ideas here, at the 6th NIST workshop, and in many other venues about what to do next, but a lot of these ideas, thrown up into the air, fall down with no structure to catch them. There is no bigger picture into which to slot next step ideas and see how they relate to past work, need, and each other.

Without such a common reference structure, making progress from here on out will be increasingly difficult and I believe we need to learn from the very recently successful past and build a framework to do so.

The new framework I’m envisioning would, far from a “2.0” of what we’ve already built, have a completely different goal. Instead of collecting and organizing common solution elements into a document, this framework would identify the types of problemswe face doing business in a hostile, ICT (Internet and Communication Technology) enabled world and provide a context in which to organize the existing NIST Framework solutions.

In other words, if we identify a common language and reference for the “cybersecurity problem space” – especially the areas outside of the CISO organization – it should be much easier to go back, find out where the Framework excels, where it needs help, and where it simply does not apply and, from there, allow us to organize future efforts effectively and sustainably.

Maybe we should have done this earlier, but maybe it took creating a Common Practice Framework to highlight the need to go back and create a “Problem Space Framework”. How many of us have looked at strategy documents that said things like “Will reduce cyber attacks” or “Improve Cybersecurity” and thought “But wait, what does that mean?” Shouldn’t there be goals, or non-security objectives for security to help frame, limit, and shape our efforts to some productive end?

When the executive order came out and I heard about how the NIST Framework was going to be used to support “Performance Objectives”, I thought, “Great! Finally, we’re going to have the electrical current that non-security-activity goals provide to security activities to drive them to defined, implementable, and effective ends”.

Unfortunately, that doesn’t seem to be happening and there doesn’t seem to be consensus that that was even the original intent. But that doesn’t mean we don’t still need to create that organizing current around security activities.

The “Tier” concept in the existing framework, as incomplete as it is, definitely speaks to the need for the application of a maturity model to what we’re doing, but even maturity models need to exist inside a larger context of “Why?” that is framed by all of the ways organizations – and those who work for them – introduce risk. If we don’t have a framework for risk introduction in a broad business and national context, how will we ever be able to tell ourselves, each other, our customers, or anyone else that we’ve applied the NIST Framework in some legitimately effective or helpful way?

This shouldn’t be a hard problem to solve. As with the Common Practices in the NIST Framework, we’re in a situation where a lot of different people have very different but valid views into the cybersecurity problem space. The material and knowledge exists, we just need to gather it, write it down, gain consensus, and begin to apply it.

From my own point of view, I think this begins by identifying (and documenting) how the major, common roles within organizations (and of organizations) introduce cybersecurity risk through legitimate, authorized means in the course of doing business. If we can nail this down across the entire business value chain – from Boards and CEO’s to CFO’s to Operations Managers to IT to Procurement to Sales and Marketing to HR to Industry Partners to Insurance Companies to Regulators all the way to the CISO shops that the NIST Framework already assumes solutions for – we will have a much better understanding of what we’re solving for. This is because our cybersecurity risk profiles are, when it comes down to real root causes, exclusively the result of the series of decisions made by people in legitimate, authorized capacities. Whether or not the decisions are in your sphere of influence, knowing how they are influencing your cybersecurity risk profile over time is the first step in determining how to most effectively apply the controls from the existing NIST Framework. From there, that knowledge can be applied to contextualizing the maturity levels in models like the ES-C2M2 in a way that provides “Management Metrics” to those responsible for managing organizational behavior, and those maturity levels can then guide the scope, goals, metrics, and placement of those controls that exist in the NIST Framework.

Beyond the tactical benefits of the knowledge such a framework would give us, our ability to act strategically will improve. If we know how our CEOs and those who work for them are introducing risk, if we can find commonalities across organizations, then we can describe the goals, effectiveness, and mitigating controls in terms that are much less dependent on far too rapidly changing technology and external threat actors. This would provide a much more stable platform over time from which to begin doing sustainably successful risk management, maturity modeling, and NIST Framework implementation and adoption.

That said, this is just one way we might go about creating a “Problem Space Framework” – there are others. Regardless of which one we choose, I strongly believe building one will clarify, speed up, and make our way forward much more effective at reducing risks created by the use and operation of ICT’s.

“Maintain a positive relationship with the risk of oppositional forces acting against your interests that is agile in bringing appropriate resources to bear and independent of change, complexity, escalating pressure, technology, business strategy changes, and specific oppositional actions across all elements of your value chain while minimizing the involvement and role of dedicated security personnel and technology in achieving that relationship and emphasizing the role other business elements play in introducing and managing cyber risk. ” With maybe less awkward wording (it’s really bad), what do you think?

And, some (very incomplete) thoughts on problem spaces which need work to do the above successfully (possibly, problem spaces to be solved to derive tactics?):

  • Identify *specific* manners in which decision making across the organization defines (not just affects) security
  • Enhance ability to express coherent business-security policy through technology sustainably, effectively, efficiently
  • Limit knowledge, skill, time required to do all of the above
  • Integrate perspectives across national enterprise (i.e., soften/remove classic business boundaries)
  • Effectively link human and technological systems into a common system which can be spoken to by a common policy
  • Identify and measure indicators which provide visibility into non-security organizational behavior that results in desired security state independently of security-specific activities
  • This is an event reporting format I played with at EnergySec. It’s meant to capture specific detail while at the same time clearly conveying areas of concern quickly and to less technical audiences. It is a non-standard format and does not attempt to play with other efforts at all, but I thought maybe readers might get something out of it.


    So, since several people who haven’t had a chance to hear me go on about it in person have asked (in concern) about my “Hey, I’m going to be indefinitely and intentionally homeless starting in August, yay!” posts (most notably my dad heh), I thought I’d explain a little (if still not enough) here:

    By August 1 I will, for all intents and purposes and unless something WILDLY unexpected blows up, have absolutely no obligations whatsoever beyond my job, which will by then be location-independent (for awhile). I’ve never actually, as an adult, not had obligations. Most people haven’t and it’s kind of a neat opportunity. I’d be terribly remiss (and a bit chicken!) if I didn’t take advantage of the freedom while I have it, so I’m going to.  I’ve mentioned several possible scenarios, but the main point is that I’ll really, with the exception of August, leave absolutely every possibility open until the last minute.  For example, I REALLY want to go back to Phnom Penh in Cambodia. I Loved that city. But I also want to bike/hike/camp around for a bit. I’ve been meaning to for years, I had SOME plans last year which fell through because of gout primarily, so why not now? Etc. Etc. Etc. What would YOU do if you didn’t have to be anywhere in particular for a year or longer? Not “sit in a perfectly typical looking apartment in a city you’ve lived in for 10 years” probably. Well, I wouldn’t. I won’t! But I won’t know what that looks like till I get there. :)

    I also want to take some time to develop some of my art and explore some other potential career options…I’ve developed some skills that could turn into an actual NON-computer career if properly nurtured…and god knows I’m sick of looking at freaking computers.  But, that said, within my career space – specifically cybersecurity – I’ll not only still be running workshops, training, and writing for Energysec (who are awesome) but I’ll also be VERY MUCH AVAILABLE for independent strategic cybersecurity consulting, workshop participation & conference speaking, training, and writing gigs that fall outside of Energysec’s scope.  I can travel to you. :) Email me? My quality is high, my rates will be low <smile>.

    I realize that there are plenty of cliche’s about “going to find yourself”, but this is significantly more concretely and specifically driven than that.  For example, I genuinely don’t like living in one place, in one apartment. It’s claustrophobic for me. So, I’m not going to if I don’t have to.  At least until I get bored or something external forces me to stop. I might write up something longer about the internal motivations, but for now I think you get the idea.

    Sooo..that all said, what are my concrete plans? Here’s a schedule of what I know:


    EDIT FROM OLD: These Plans Have been Updated (Although Remain Thematically Similar). See:

    Imagine that:

    • Cybersecurity is a never-ending chess game
    • Your pawns are your cybersecurity capabilities
    • Your named pieces are the rest of your business capabilities
    • Your infrastructure is only the board and provides no inherent (or strategically relevant) defensive capability
    • Your business is controlled by those pieces on your side of the board
    • There are many players – nations, criminal gangs, auditors, competitors and others
    • Their goal is control of your business by outmaneuvering your pieces, not taking them
    • These players’ infrastructure is also part of the board
    • You can’t always identify who made which move or whether a move was made at all
    • Your competitors cannot lose
    • You cannot win, you can only either limit the amount of time your competitors control your side of the board or convince your opponents to invest fewer resources in the cyber game
    • All past, present, and future APT1 activity is a single move by a single player
    • And this chess game connects to all of the non-cyber games as well


    China: My move is to use my military to employ semi-autonomous actors in an ambiguous way that will look like they’re just going for the 3rd row of the board, but I hope you won’t notice that it’s really to tie up your pawns (security capabilities) and misdirect/abuse your named pieces (business capabilities) in a way that will allow my other pieces to reach your side of the board in 2 moves so that I can influence your business’s behavior in a way that will create LONG TERM economic instability in an area important to the other geopolitical chess games I’m playing”


    APT1 is a tactic – a means to a larger end. Whether China breaks in to a given piece of infrastructure on a given day in a given way is irrelevant. Similarly, “regularly and consistently apply patches” is a tactic  – a move – with a pawn (the security capability) that may have to move differently later (revamp patching) to counter oppositional moves. This is as independent of a given system/vulnerability combo set as is the Chinese-Ops-Capability when they decide to engage in APT1 activities over time (a single move) to create space for Chinese-Secret-Capability to make a “utilize sabotage activities” move if it needs to. A good question to ask here is what are your named pieces doing? (Your CEO’s, your COO’s, your CFO’s?, your sales teams? your marketing teams?) Are they pro-actively being used to strategically minimize access to your side of the board, or are you relying on the limited tactical strength of your pawns (security capabilities) to do all the work?

    It’s worth noting that the competition isn’t trying to break into your infrastructure, it’s trying to strategically create value for itself from your business using your infrastructure over time.  Individual attacks (past or potential), attack mechanisms, and even technical vulnerability classes are not meaningful in terms of the kind of risk management required to inform strategy at this level. Here, under these rules, the things we do, both technically and from a risk management perspective, become very different.  Instead of saying “Ok, we need to protect against….APT…..and we need to protect against….the possibility of a DDOS attack…”, we should instead be asking  “how do we optimize decision making in a way that will minimize the ability of others to manipulate our business in the most sustainable, cost effective way?”

    And that leads to…that thing everyone says we need but can’t articulate in concrete terms: sustained strategic resilience :)

    So…ask yourself:

    How well is your organization playing? Does it even know these are the rules?



    Here is the actual slideshow from the #NISTCSF Webinar I did:

    Download it here:

    The recording of the webinar is here:

    About Me

    Jack Whitsitt

    Jack Whitsitt

    National Cyber Security. Risk. Multi-Dimensional Rainbows. Maker of conceptual lenses. Artist. Facilitator. Educator. Past/Future Vagabond. Drinks Unicorn Tears.

    Follow me on Twitter

    My Art / Misc. Photo Stream






    More Photos

    Get every new post delivered to your Inbox.

    Join 36 other followers