You are currently browsing the monthly archive for February 2014.

This is OVER but you can see the recording HERE:


Interested in hearing a more lengthy – and more frank – NIST Framework discussion that also includes both historical context and REAL security discussion? Join me as my employer and I host a webinar March 5, 2014 at 1pm ET.

Registration is HERE.

The official description follows this blurb, but you should also know that in addition to the usual Energysec community, I’m also going to try and aim this webinar at groups like IATC (I Am The Cavalry) and NovaHackers.  As such, not only will I run down my written framework assessments in more detail,  but I’m also going to try and help these other communities understand the levers the framework uses, the state of dialogue that led to it, and how to get engaged in the ongoing process.  Please come prepared to hear more than you will elsewhere. Some pre-reading, if you are so inclined, can be found in my comments on the preliminary draft HERE.

Interpretations and Forecasts: Looking Beyond Rumors, Myths and Misunderstandings About the New NIST Cybersecurity Framework

 On February 12, 2014 the White House released the first version of the NIST Cybersecurity Framework. NIST was directed to create this framework in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Since the preliminary framework was released last October, many rumors have been going around about what the framework is or is not. Additionally, a number of organizations have been making what we believe will likely turn out to be inaccurate representations about how the framework should be used and what expectations will be surrounding it.
In this webinar, we will explore a number of the more common scenarios we’ve heard recently and attempt to provide educated but unaffiliated realism around the document, its uses, its gaps, and what’s going to happen moving forward.
While this will be an editorial webinar, and we cannot claim to represent an official stance on anyone’s behalf, we believe our experience in this area and lack of vested interest will provide attendees with the tools – lenses, if you will – with which to better interpret what you hear from other third parties.

Well. Long overdue, but here nonetheless, is the next draft of my NIST Cybersecurity Framework “B-Sides” (Alternate). It’s just a draft, but it builds on the last one I posted and is designed to provide a much more comprehensive and much more effectively structured beginning to a framework than the one industry created with NIST, DHS, and the White House.  It’s also substantially broader and, I think, more effective than some of the other alternatives that have come from industry.  It’s not “complete”, but I believe the structure is the key to a successful framework and I think I’m close to nailing it here. Check out the image at the end of this post. You may also want to pre-read THIS:

The framework consists of 5-components that provide the “Model” elements that go into cybersecurity management at an organizational level:

  1. Business Consequence Framing
  2. External Threat Framing
  3. Business Vulnerability Introduction Assessment
  4. Business Quality Management
  5. Cyber Vector Control

Each of these components are co-dependent on each other in assuring that cybersecurity is effectively managed.  They will each contain sub-elements that can be attached to specific practices (processes/controllers) and views.  (Note: the components are not completely filled in with these sub-elemtns – they just contain quick swags.)

Of the components, The “Business Vulnerability Introduction Assessment” is the most notable and, in combination with “Business Quality Management” it represents one of the largest and meaningful gaps in cybersecurity thinking today – including the #NISTCSF.  The premise is that business decisions lead to security vulnerabilities and that the frequency and type of decisions that introduce vulnerabilities can be identified, quantified, and managed through a quality assurance program. Further, doing so will reduce the business’s exposure surface and allow their cyber security, risk management, and compliance programs to more effectively (with regard to both risk reduction and cost reduction) target areas for specific improvement in a rapidly evolving world.

The Processes (including roles and responsibilities within an organization) by which these model components are executed and the Views in which the associated information is stored and made available to appropriate stakeholders will represent two critical, but future layers to this framework.

Finally, almost all classic “cybersecurity best practices” such as those existing in NIST 800-53, the SANS 20, etc. are to be found in the “Security Program” sub-element under “Cyber Vector Control”.  This relatively “small” position in the overall framework does not detract from the importance of those best practices – they are, after all, the sharp edge of the sword – but their placement should be a strong message about the amount and type of underlying support from the rest of the organization that is required to make those best practices sustainable, efficient, and effective.

If this seems simple, I’ll grant that. There are YEARS of thought and experience going into distilling a complex topic into what is essentially just 5 boxes. But,  if that seems obvious or innocuous,  I’ll disagree. There are *many* layers of complexity supporting this model, why it’s framed this way and not another, and (more importantly) still more layers of complexity that this model **will enable** through its simplicity. You can find the older draft HERE



1. SV Said: “it puts risk management as a sub-component at the bleeding edge; it definitely does not belong there”.  I responded with:

I would not categorize the bottom element as the bleeding edge. Instead, it is the edge that steers the ship and that gets things done. It loops back and informs the very top of the stack – the intersection of strategy and and environment. Further, and this is a critical point for me, you can have risk management without the other elements happening, but it won’t be very good risk management. Think of it like a sports team. You can get a bunch of people off the street, teach them the rules, and they’ll play a game. But if you want them to win, they need to run laps. Practice with the ball. Play as a team effectively in practice. In other words, they need to have discipline and be conditioned. The other elements – Business Consequence Framing, External Threat Framing, Decision-Vulnerability Introduction Assessment, and Business Quality Management are the fundamental elements that allow the organization to not only more effectively inform risk management, but also to more effectively take advantage of the benefits of risk management in a way that allows it to pivot toward and address prioritized threats. Again, how these place relative to each other in an organization is another “View” of the framework that is not complete or shown here.

I just wrote-up the following for someone in the Communications Sector. It’s entirely stream-of-consciousness and un-edited, so forgive the language and grammar shoddiness, but as far as content goes, I think it sums up very well how I think of cybersecurity at an organizational (as opposed to industry/sector/national) level right now:

The vulnerabilities hackers exploit are created in the design, implementation, operation, or control of your business’s strategy, resource allocation, capability maturity, and value chain.  These vulnerabilities, created by your business decisions, allow hackers to repurpose your business and infrastructure – in part or entirely – to their own ends.

Therefore, cybersecurity can be said to be “The management of all business decisions made by your organization in a way which will inhibit malicious actors from using technology to repurpose your infrastructure or value chain for their own ends.”

While much of the focus on security has been on security specific controls and roles, those controls and roles only help to temporarily mitigate security problems.  True improvement in effectiveness and lowered costs will only come if the rest of the business manages decisions in a way that reduces the number of business and technological vulnerabilities that your security programs must account for.  These vulnerabilities can be introduced in typically “non-security” areas of your business such as product release timing, IT product selection, change management discipline, cross-team communication, business process design, policy compliance culture, service and product feature selection.

And, so, use of  security Frameworks such as the new NIST Voluntary framework, while important, only accounts for security control at one layer of several interdependent layers of control and will not, by itself, successfully protect your organization.  Business leadership priorities, business capability management, business process and IT architecture,  operations, education and culture management, and classic “cybersecurity” must be paid equal attention and be tightly integrated.

A tight integration of these areas will not only reduce the overall number of vulnerabilities being introduced that are exploitable by hackers, but will also allow the organization to more effectively identify and pivot toward defending against new threats and attack vectors.  Without this overall business maturity, no threat data will ever be actionable  because there is simply too much area for your security teams and programs to cover.  However, with the entire business working together to minimize exposure, your security team will be able to use threat based intelligence from external organizations to help them understand what gaps remain, mitigate those threats in the short term, and then inform business leadership of areas of vulnerability which might require longer term strategic organizational change to mitigate.

Ultimately, this should be seen as the development of two risk management life-cycles: One which looks at long term threats to your organization resulting from vulnerabilities created by organizational decision making, and another which focuses on short term tactical threats to your infrastructure. These two risk management life cycles can then inform each other without replacing each other.

In the longer term, business management lifecycle, typical “barriers” such as operational, market, consumer, technology and policy considerations should be considered “cybersecurity vulnerabilities” to be managed.  Metrics could include such measurements as “number of times a security control was pushed to a later release in order to accommodate product release commitments made by marketing.”  Security improvement initiatives could focus on changing organizational processes and decision making to the point where product release commitments and security control introduction were in conflict less often.

Per last post, I’ll be at the White House today for the rollout of the NIST Voluntary Cybersecurity Framework that many of us worked on last year.  You can see it live today at 1pm here:

Also, I’ve been working on my alternate version which will cover the 80% space that the NIST facilitated framework doesn’t.  Particularly, I’m focusing on the environment that leads to security.  My framework will help minimize the space your security teams have to cover by addressing how and where the business vulnerabilities that lead to technical vulnerabilities are introduced.  This approach should both reduce security program costs while at the same time making them more effective.  Expect a draft this week.

I got this yesterday!

You are invited to an event at the White House on Wednesday, February 12, at 1:00 p.m. for the release of the National Institute of Standards and Technology (NIST) voluntary Cybersecurity Framework.  This date marks the one year anniversary of Executive Order 13636, which tasked NIST to convene the private sector to develop this Framework.

We deeply appreciate your leadership in our shared efforts to improve critical infrastructure cybersecurity and would like to offer you the opportunity to attend this event.

Upon receipt of your RSVP, we will follow up with additional logistical information and specific arrival details.  This invitation is non-transferable. 

We hope that you will join us for this important event.

Thank you,

J. Michael Daniel

Special Assistant to the President & Cybersecurity Coordinator

National Security Council

The White House

Follow me on Twitter

My Art / Misc. Photo Stream