As you may have heard, I’ll be teaching a cybersecurity framework class around the country this year. It will be fun, educational, practical, and unique. Im going to try to open the two day class up with a LEGO exercise and we’ll close with a day long practical workshop where we solve a problem or two with a customized integration of existing frameworks. In between, we’ll talk about the theory of security, the theory of frameworks, and do deep dives into the ES-C2M2 and the new NIST Cybersecurity Framework (#NISTCSF). If this sounds worthwhile – and I promise it will be to techies, executives, and in-between – check out the detailed description here and look for a class near you here. In the mean time, as a teaser, here’s one of the diagrams I’m working on for the class. It’s a parasitic model of security that tries to communicate that security is neither about technology nor can its sustained improvement be effectively modeled in terms of “incidents”.