{"id":277,"date":"2017-06-07T18:40:06","date_gmt":"2017-06-07T18:40:06","guid":{"rendered":"http:\/\/securitycurve.com\/?p=277"},"modified":"2017-06-07T18:40:06","modified_gmt":"2017-06-07T18:40:06","slug":"the-csf-stephen-fry-says-youre-doing-it-wrong","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=277","title":{"rendered":"The CSF: Stephen Fry says you&#8217;re doing it wrong"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/29bc5tl.png\"><img decoding=\"async\" class=\"alignright size-medium wp-image-278 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/29bc5tl-300x225.png\" alt=\"\" width=\"300\" height=\"225\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/225;\" \/><\/a>So first of all, let me start by saying that I get it that Stephen Fry playing the role of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Jeeves\">Jeeves <\/a>from like a billion years ago has nothing to do with anything. \u00a0That said, it came up in my google image search for &#8220;you&#8217;re doing it wrong&#8221; while looking for an image to use in conjunction with commenting on people&#8217;s use of the <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf\">NIST CSF<\/a>. \u00a0Frankly, I couldn&#8217;t resist: it lured me in almost as much as the giant, <a href=\"https:\/\/goo.gl\/images\/adbnea\">comic-themed superhero Stephen Fry<\/a>\u00a0from the child rescue alert campaign posters\u00a0(which I, like the complete rube that I am, stopped to take a photo of when passing by).<\/p>\n<p><del>Sir<\/del> Stephen Fry aside, on to the NIST Cybersecurity Framework [<em>note: seriously&#8230; I don&#8217;t even live in the UK and I&#8217;m wondering why no knighthood yet for the institution that he represents.<\/em>]<\/p>\n<p>I continue to be mystified by the reception of the CSF in industry coupled with the complete failure of most organizations to get the central point of the document. \u00a0Here&#8217;s\u00a0the things that we know to be true about the usage of the CSF in industry:<\/p>\n<ol>\n<li>The CSF is all over the place usage-wise. \u00a0It&#8217;s the ubiquitous, de-facto choice for pretty much anybody when organizing their cybersecurity efforts. \u00a0This is true when it comes to planning out their program, assessing what they do,\u00a0building teams&#8230; heck, even education <em>about<\/em> security is based on the CSF nowadays.<\/li>\n<li>The CSF is, at its core, a document about risk management.<\/li>\n<li>Organizations continue to <strong>not<\/strong>\u00a0perform risk management in any kind of systematic, workmanlike way. \u00a0Lack of risk management is the normative case.<\/li>\n<\/ol>\n<p>Seriously. \u00a0At least half of the CSF document itself is specifically about risk management: why it&#8217;s important, what it entails, how you&#8217;d determine what your relative capability or maturity is of your risk management efforts,\u00a0how to apply the implementation steps outlined later in light of the risk assessment you&#8217;re doing, etc. \u00a0This is from the document directly (emphasis mine):<\/p>\n<blockquote><p>The Framework uses <span style=\"text-decoration: underline;\">risk management processes<\/span> to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports re<span style=\"text-decoration: underline;\">curring risk assessments<\/span> and <span style=\"text-decoration: underline;\">validation of business drivers<\/span> to help organizations select target states for cybersecurity activities that reflect desired outcomes&#8230;<\/p><\/blockquote>\n<p>It goes on to say:<\/p>\n<blockquote><p>The Framework Implementation Tiers (\u201cTiers\u201d) provide context on how an organization views cybersecurity risk and the <span style=\"text-decoration: underline;\">processes in place to manage that risk<\/span>. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of <span style=\"text-decoration: underline;\">rigor and sophistication in cybersecurity risk management practices<\/span> and the extent to which cybersecurity risk management is informed by business needs and is <span style=\"text-decoration: underline;\">integrated into an organization\u2019s overall risk management practices<\/span>.<\/p><\/blockquote>\n<p>So riddle me this&#8230; \u00a0If an organization says that they are using the CSF, but they\u00a0also say that they don&#8217;t have time to do risk management &#8211; what exactly do you suppose they are using the framework <strong>for<\/strong>?<\/p>\n<p>Anyone? \u00a0As a way to organize their controls? \u00a0As a cross-reference? \u00a0As a philosophical guide to the ineffable chaos\u00a0of the world at large?<\/p>\n<p>What exactly is the point of that? \u00a0The\u00a0CSF itself has as a self-stated design goal to provide a &#8220;common vocabulary&#8221; for security. \u00a0Sure, it does that. \u00a0Vocabulary achieved. \u00a0But doesn&#8217;t having a &#8220;common vocabulary&#8221; imply that, as a next step, people have a conversation about something? \u00a0In the case of the CSF, that conversation is supposed to be about risk management &#8212; which I still don&#8217;t see people doing very well out there. \u00a0I suppose I&#8217;ll get over it, but the CSF is supposed to be a first step &#8211; it&#8217;s a means to an end, not the end itself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So first of all, let me start by saying that I get it that Stephen Fry playing the role of Jeeves from like a billion years ago has nothing to do with anything. \u00a0That said, it came up in my google image search for &#8220;you&#8217;re doing it wrong&#8221; while looking for an image to use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[29,71,84,101,113],"class_list":["post-277","post","type-post","status-publish","format-standard","hentry","category-security","tag-csf","tag-jeeves","tag-nist","tag-risk-management","tag-stephen-fry"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=277"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/277\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}