Archistry

Survivability by Design™ since 2006

You are here: Home / Archistry Daily / Don’t fear the framework

Don’t fear the framework

One thing we can pretty-much count on is that wherever we may find ourselves trying to do security architecture is going to have some kind of framework they’re using for delivering security. And one of the most popular ones of these frameworks is…

…you guessed it—the NIST Cybersecurity Framework.

Now, the whole “it’s just an over-blown control library” argument aside for a moment, let’s look at what it really says. What it says is that it provides:

“a common taxonomy and mechanism for organizations to:

  1. describe their current cybersecurity posture; 
  2. describe their target state for cybersecurity;
  3. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 
  4. assess progress towards the target state; [and]
  5. Communicate among internal and external stakeholders about cybersecurity risk.”

So basically, it even comes out and says that the whole of the framework core “is a set of cybersecurity activities, desired outcomes, and applicable references.”

…which also means, BYO architecture, BTW. Because, in fact, the word “architecture” isn’t even mentioned one single time within the whole document.

Now some would look at this as a bad thing. Others – the crazy people like me – say that there’s an inherent architecture defined implicitly within it anyway, and we might want to actually pay attention to that before we go blindly trying to bolt it in to our way of looking at security in our organization.

Or…you can take the view that, “If we ain’t got nuthin’ today, then why not pick up something that at least will sound good when we talk about what we’re doing to the auditors.”

Hypothetically, of course.

But, in fact, it’s actually a good thing—at least if you’re trying to integrate it into a real, business-driven security architecture (where architecture means more than just the layout and deployment schematics of the technical control implementations you already have). And it’s a good thing because all those activities, mechanisms and desired outcomes…

…are just sun-ripened requirements, waiting to be plucked from the branches of the holy Five Concurrent and Continuous Functions of the Framework Core.

So demonstrating you’re following along with the NIST CSF – or any other framework – shouldn’t be a fear-inspiring activity. In fact, it can become as dull, boring and automatic as simply turning the crank on one of the most important skills we’re going to talk about starting in week 2 of the Building Effective Security Architectures program that will kick off on the 24th of February.

Now, ordinarily, “dull, boring and automatic” wouldn’t be words you’d want to use to describe the work that you do every day as an architect. However, if you can turn the bulk of this particular exercise into something that’s not only mindless and boring…

…but that’s also as easy as falling off a log…

…then that gives you the chance to save a bunch of time, energy and mental capacity for figuring out how to do your real job:

Keeping the organization safe to do whatever it is it really does.

And the very best part is that once you master this key practice of The Agile Security System™, it means that you’re ready to not only embrace the inevitable change of framework fashion, but you can also apply it to anything else anyone decides to throw at you…

…like a little thing called GDPR…

…or HIPPA…

…or SOX…

…or the-next-major-angst-inspiring-legislative-order someone decides would be a fine cat to throw amongst the pigeons.

But before you can haughtily laugh in the face of frameworks, regulations and laws because you don’t have to fear them any longer…

…you’ve gotta be able to automatically apply the critical skill we introduce in Module 1 and then practice for the following 6 weeks to the point where it – in fact – really does become a habit.

What’s that skill?

Why not join the cohort and find out?

I know it made a difference to people when I first started teaching it as part of the way I delivered the official SABSA Foundation training, and I also know that with the advent of The Agile Security System, it’s now 100 times easier to learn than it was before.

Here’s the link if you’re ready to join us on February 24th:

https://archistry.com/besa

Just don’t wait too long to make the decision, because there’s only 7 days left before the registration reaper appears and snuffs out the candles, Blue Oyster Cult style.

Stay safe,

ast

Andrew S. Townley
Archistry Chief Executive