Jack Whitsitt’s great new #NISTCSF B-side looks much better than the NIST effort, but it also has, at least in my view, one glaring issue. It places risk management in the wrong section and thus it propagates the notion that risk management is a reactive function and delegated to tactical area of the organisation.
What I like about the framework:
- it includes the business objectives as the driver and the framing of the work
- it puts external environment where it sits: atop most other things
- it shows that security, whilst important, isn’t the guiding force but just another sub-component
- it is simple yet powerful
What I don’t like about the framework:
- it puts risk management as a sub-component at the bleeding edge; it definitely does not belong there
- it automatically puts people in the “read top-to-bottom” mode, and makes it hard to show that each component directly influences all others
- culture linked with socialisation sub-component; they’re related, but work at different levels
Overall it’s a great start, and as Jack already said, it needs to be reviewed, rehashed, commented on and finally shared widely in order to do what it was meant to do: help organisations improve their cyber security posture.