Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.
I particularly like that he begins with a 15 point description of the "problem space", something that might have helped the CSF initiative itself get off to a better start. Points 1-3 establish an overall tone of realism that includes references to money and outcomes:
- We are failing at cybersecurity
- We are investing heavily in cyber security
- Our organizations are getting breached at unacceptable rates
I particularly like point 11, which I'll paraphrase below to suit our purposes:
A more likely way of getting at the cultural and business underpinnings of cyber security would be to start with business outcome objectives and then elicit a framework to meet those objectives. AB - now here's the magic part: Do this while assuming a lack of a dedicated security team and without making references to cyber security specific technologies.As Jack continues, this allows the discussions to remain in plain-English business language, which means the business folks, advocating for their business objectives, remain active participants in the conversation and the solution formulation process throughout.
There is a ton more to like in his comprehensive treatment of the subject matter. You'll find the full piece, "My comments to NIST on the Preliminary Cybersecurity Framework" right HERE.