Imagine that you are making a chocolate cake and you pull up the NIST recipe on your iPad. NIST presents a picture of the perfect cake. It gives insightful detail on all the ingredients: the exact measures; the specific treatments (e.g. butter at room temperature and eggs separated); the sequencing of the ingredients; and, even substitutions for missing ingredients. It prescribes the adjustments to make for a multi-level cake and addressing special conditions like Kosher, gluten-free and Vegan. It also helps you determine your baker’s maturity level, but it does not define critical elements necessary to actually make a cake. After much work, you have a table full of dirty dishes, a bowl of delicious cake batter, but no chocolate cake!
Yes, I am obviously not talking about baking a cake. I am talking about the need to “operationalize” the NCSF. I see so many people pointing to NCSF as the cookbook for effective cybersecurity, and yet many people have trouble turning it into action. For example, I recently reviewed most of the comments (over 200 responses submitted to NIST on CSF versions 1.0 and 1.1) to see what other people think. I find a consensus that organizations use the Framework as an organizational and system-level tool, but I also find a common theme from respondents requesting guidance on putting the NCSF into action.
To get from batter to baked goods, we need a prescriptive, rational, extensible, flexible, and reproducible methodology that builds on the framework. What I envision is something that uses NIST CSF as the foundation and draws from other – more operationally focused – best practices, including other work from NIST (e.g. SP-800), ISO27001, and CIS Controls to take the framework off the paper and put it into action. The great news is this is what the CISO at the University of Massachusetts has created: the UMass Lowell NCSF Control Factory™.
The NCSF Control Factory™ uses a controls factory model to teach organizations how to build, test, maintain and continually improve a cybersecurity program based on the NIST CSF. The NCSF Control Factory™ model helps enterprises organize the engineering, technical and business functions of a NIST Cybersecurity Framework program.
To learn more about the model and associated training, please check this related post.
Some of you may remember the commercial about the guy who was so excited about his razor; he bought the company? Well, I’m so excited about the NCSF Control Factory™ that I just joined with itSM Solutions to help them sell and deliver this training. Please contact me if you would like to hear more about this groundbreaking work.