Well. Long overdue, but here nonetheless, is the next draft of my NIST Cybersecurity Framework “B-Sides” (Alternate). It’s just a draft, but it builds on the last one I posted and is designed to provide a much more comprehensive and much more effectively structured beginning to a framework than the one industry created with NIST, DHS, and the White House. It’s also substantially broader and, I think, more effective than some of the other alternatives that have come from industry. It’s not “complete”, but I believe the structure is the key to a successful framework and I think I’m close to nailing it here. Check out the image at the end of this post. You may also want to pre-read THIS:
The framework consists of 5-components that provide the “Model” elements that go into cybersecurity management at an organizational level:
- Business Consequence Framing
- External Threat Framing
- Business Vulnerability Introduction Assessment
- Business Quality Management
- Cyber Vector Control
Each of these components are co-dependent on each other in assuring that cybersecurity is effectively managed. They will each contain sub-elements that can be attached to specific practices (processes/controllers) and views. (Note: the components are not completely filled in with these sub-elemtns – they just contain quick swags.)
Of the components, The “Business Vulnerability Introduction Assessment” is the most notable and, in combination with “Business Quality Management” it represents one of the largest and meaningful gaps in cybersecurity thinking today – including the #NISTCSF. The premise is that business decisions lead to security vulnerabilities and that the frequency and type of decisions that introduce vulnerabilities can be identified, quantified, and managed through a quality assurance program. Further, doing so will reduce the business’s exposure surface and allow their cyber security, risk management, and compliance programs to more effectively (with regard to both risk reduction and cost reduction) target areas for specific improvement in a rapidly evolving world.
The Processes (including roles and responsibilities within an organization) by which these model components are executed and the Views in which the associated information is stored and made available to appropriate stakeholders will represent two critical, but future layers to this framework.
Finally, almost all classic “cybersecurity best practices” such as those existing in NIST 800-53, the SANS 20, etc. are to be found in the “Security Program” sub-element under “Cyber Vector Control”. This relatively “small” position in the overall framework does not detract from the importance of those best practices – they are, after all, the sharp edge of the sword – but their placement should be a strong message about the amount and type of underlying support from the rest of the organization that is required to make those best practices sustainable, efficient, and effective.
If this seems simple, I’ll grant that. There are YEARS of thought and experience going into distilling a complex topic into what is essentially just 5 boxes. But, if that seems obvious or innocuous, I’ll disagree. There are *many* layers of complexity supporting this model, why it’s framed this way and not another, and (more importantly) still more layers of complexity that this model **will enable** through its simplicity. You can find the older draft HERE
HERE BEGIN MY RESPONSES TO COMMENTS SO FAR THAT ARE ILLUMINATING
1. SV Said: “it puts risk management as a sub-component at the bleeding edge; it definitely does not belong there”. I responded with:
I would not categorize the bottom element as the bleeding edge. Instead, it is the edge that steers the ship and that gets things done. It loops back and informs the very top of the stack – the intersection of strategy and and environment. Further, and this is a critical point for me, you can have risk management without the other elements happening, but it won’t be very good risk management. Think of it like a sports team. You can get a bunch of people off the street, teach them the rules, and they’ll play a game. But if you want them to win, they need to run laps. Practice with the ball. Play as a team effectively in practice. In other words, they need to have discipline and be conditioned. The other elements – Business Consequence Framing, External Threat Framing, Decision-Vulnerability Introduction Assessment, and Business Quality Management are the fundamental elements that allow the organization to not only more effectively inform risk management, but also to more effectively take advantage of the benefits of risk management in a way that allows it to pivot toward and address prioritized threats. Again, how these place relative to each other in an organization is another “View” of the framework that is not complete or shown here.