Tuesday, December 17, 2013

Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

I particularly like that he begins with a 15 point description of the "problem space", something that might have helped the CSF initiative itself get off to a better start. Points 1-3 establish an overall tone of realism that includes references to money and outcomes:
  1. We are failing at cybersecurity
  2. We are investing heavily in cyber security
  3. Our organizations are getting breached at unacceptable rates
Doesn't sound like a status quo anyone interested in national security would want to maintain much longer. Or the CEO of large power company, for that matter.

I particularly like point 11, which I'll paraphrase below to suit our purposes:
A more likely way of getting at the cultural and business underpinnings of cyber security would be to start with business outcome objectives and then elicit a framework to meet those objectives. AB - now here's the magic part: Do this while assuming a lack of a dedicated security team and without making references to cyber security specific technologies. 
As Jack continues, this allows the discussions to remain in plain-English business language, which means the business folks, advocating for their business objectives, remain active participants in the conversation and the solution formulation process throughout.

There is a ton more to like in his comprehensive treatment of the subject matter.  You'll find the full piece, "My comments to NIST on the Preliminary Cybersecurity Framework" right HERE.

No comments: