The CSF: Stephen Fry says you’re doing it wrong

So first of all, let me start by saying that I get it that Stephen Fry playing the role of Jeeves from like a billion years ago has nothing to do with anything.  That said, it came up in my google image search for “you’re doing it wrong” while looking for an image to use in conjunction with commenting on people’s use of the NIST CSF.  Frankly, I couldn’t resist: it lured me in almost as much as the giant, comic-themed superhero Stephen Fry from the child rescue alert campaign posters (which I, like the complete rube that I am, stopped to take a photo of when passing by).

Sir Stephen Fry aside, on to the NIST Cybersecurity Framework [note: seriously… I don’t even live in the UK and I’m wondering why no knighthood yet for the institution that he represents.]

I continue to be mystified by the reception of the CSF in industry coupled with the complete failure of most organizations to get the central point of the document.  Here’s the things that we know to be true about the usage of the CSF in industry:

  1. The CSF is all over the place usage-wise.  It’s the ubiquitous, de-facto choice for pretty much anybody when organizing their cybersecurity efforts.  This is true when it comes to planning out their program, assessing what they do, building teams… heck, even education about security is based on the CSF nowadays.
  2. The CSF is, at its core, a document about risk management.
  3. Organizations continue to not perform risk management in any kind of systematic, workmanlike way.  Lack of risk management is the normative case.

Seriously.  At least half of the CSF document itself is specifically about risk management: why it’s important, what it entails, how you’d determine what your relative capability or maturity is of your risk management efforts, how to apply the implementation steps outlined later in light of the risk assessment you’re doing, etc.  This is from the document directly (emphasis mine):

The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes…

It goes on to say:

The Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.

So riddle me this…  If an organization says that they are using the CSF, but they also say that they don’t have time to do risk management – what exactly do you suppose they are using the framework for?

Anyone?  As a way to organize their controls?  As a cross-reference?  As a philosophical guide to the ineffable chaos of the world at large?

What exactly is the point of that?  The CSF itself has as a self-stated design goal to provide a “common vocabulary” for security.  Sure, it does that.  Vocabulary achieved.  But doesn’t having a “common vocabulary” imply that, as a next step, people have a conversation about something?  In the case of the CSF, that conversation is supposed to be about risk management — which I still don’t see people doing very well out there.  I suppose I’ll get over it, but the CSF is supposed to be a first step – it’s a means to an end, not the end itself.