Ok, so full disclosure: today’s email is a bit of a rant…
…and I know that you might be one of those people that aren’t all that fond of my rants, so I’m telling you UP FRONT so you have the opportunity DELETE IT NOW, go drink some tequila and scroll through the echo chamber of Twitter political opinion instead.
Don’t say I didn’t warn you…
Technologists – and by association, security people – love frameworks.
We love them.
No, seriously…we do.
Have you seen how many of them we’ve created?
We HAVE to love them, because otherwise, we wouldn’t spend so much time and energy creating them only to have someone else with a different perspective on the problem come along the VERY NEXT DAY and come up with the super-duper, unbelievably improved version of whatever framework it is we were working on last week.
But, secretly, or maybe not so secretly, we HATE them too…all at the same time.
I suppose it’s a kind of karmic balance, Zen thing.
But after spending the last 3 days up to my eyeballs (again) in the NIST NICE (what an acronym, BTW) cybersecurity workforce framework…
I can assure you, it’s anything but.
In fact, showing my midwestern, born-on-a-farm-and-grew-up-with-livestock roots, there’s a particular phrase that came to mind after spending some quality time trying to figure out how you might beat it into submission and use it for some of the things I’ve heard some of our customers (and some CISOs) say it could be used for—helping untangle the cybersecurity hiring problem.
And that phrase is…
“Worthless as tits on a boar hog.”
That’s right.
If you want a list of every possible thing the US cybersecurity community could be doing (the tasks) and what those people might need to know (the KSA list), then, yeah…it’s a fine place to start.
However….
If you wanted to use it to try and evaluate – or, God forbid, PLAN, the structure of your security team, then we’re back to the East-Central Illinois colloquialism above.
And the reason I say that is the reason that finally clicked for me as to why everyone has this love-hate relationship with frameworks:
Because a framework without a process might be pretty…
…but it’s also pretty useless.
Sure, you can use it as a source of whatever it is you’re trying to prove to someone because, after all, it’s a “framework” (ooooohhhhhh), and it’s been endorsed by XYZ body/agency/industry/company/non-profit/cult/fanboy society…
But you can’t actually integrate it with anything that actually matters until you figure out how it works with A process or, ideally YOUR process…
…if you have one.
So the fallacy is that “we’ll just adopt this framework and everything will be sunshine and rose petals, with palm fronds and Bon-Bons for EVERYONE” because…
…that’s right…
…it’s a FRAMEWORK.
How screwed up is that?
Half of the word “framework” is the word “work”—which is what you need to do if you want to get any value out of the damn thing.
But…who has time?
Who has time to figure out what the framework really is supposed to cover, how it’s supposed to be applied and then map it into the existing organizational processes, governance model and the who-does-what of the detailed roles and responsibilities that will actually be required for it to deliver more than a blip of transient value to your organization?
Do you?
Sure, masochists like me and my ilk love a challenge—and we won’t rest until we’ve hammered it into some kind of shape that fits our view of the world.
…but you?
As a CISO or security architect or manager of a function in security…do you have the luxury of investing that kind of time to hopefully – because it’s not guaranteed – figure out the best way it can be leveraged by YOUR team in YOUR organization?
If you do, then I salute you. You’re in great shape, and you get the Framework Integration Security Merit Badge—in blinking, pink neon, with which you can amaze your friends and colleagues.
But if you don’t, then it might be potentially useful to leverage the mindless machinations it takes to put your average built-by-committee framework into some kind of usable state.
I’ve helped a bunch of our clients and customers do this sort of thing over the years.
Of course, you only have my word for it, and that’s ok. That’s the nature of the industry and the world we live in.
And it’s possible I might be able to help you too…maybe with framework wrangling…maybe with process integration…maybe with security architecture document…maybe with stakeholder integration.
The thing is: I just don’t know.
At least, I don’t know until we can get on a call and have a conversation about the problems you’re trying to solve so that you can potentially cast away all the crap you’ve been dealing with:
Maybe it’s lack of engagement and support from management.
Maybe it’s feeling like you’re running on the edge of burnout and you’re not sure what to do.
Maybe you’re facing a hiring and resource problem.
Maybe you’re tired of failed change programs.
Or…maybe it’s nothing like that at all.
However, if you’re facing something you’re not quite sure how to tackle, and you think it’d be good to get some outside advice, then maybe our Effective Security Leadership Program is something that would help.
As you might know, we’ve restructured, and we’ve relaunched it last week—and until 11:59pm US/Eastern on the 5th of July when it explodes like the fireworks the day before, you can save a bunch of money.
So if you’re curious about how it works and the types of things I’ve helped people with in the past – sometimes dramatically transforming the effectiveness of their security programs – then head on over and check out this link:
https://securityleadershipcoaching.com.
The link is a “no framework” zone.
Those come later, when we’re trying to figure out the best way for you to solve the problems you face so you can sink some of those problems that may be trying to sink you.
Let’s chat. You never know what might be possible.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
