Is NIST CSF2 going to be your best friend or your worst enemy?
Webinar | On-demand | 60min
A long-awaited update to NIST’s Cyber Security Framework arrives early next year.
We've invited two expert CISOs to debate what this means for security practitioners – and the business leaders who manage them.
Tune in to understand how the new Framework can help you deliver better security – and how it can also make oversight and goal-setting from senior managers more productive and positive.
The agenda for this 60-minute panel discussion includes:
• What’s new for organizations using the framework
• Suitability for different sizes of business
• Positives and negatives
• Panel recommendations for first steps
• Q&A session
1
00:00:00,599 --> 00:00:04,480
hello and welcome to this with secure
2
00:00:02,280 --> 00:00:07,640
webinar my name is Jana Kohan and I'm
3
00:00:04,480 --> 00:00:10,080
joined today by Christine Basco used to
4
00:00:07,640 --> 00:00:11,759
lead our Tac def Department in in with
5
00:00:10,080 --> 00:00:16,080
secure and F secure before that and now
6
00:00:11,759 --> 00:00:18,720
she's our ciso uh Matthew rosenquist uh
7
00:00:16,080 --> 00:00:20,840
ciso in his own right but also uh you've
8
00:00:18,720 --> 00:00:23,359
got like 30 years of experience in this
9
00:00:20,840 --> 00:00:25,199
stuff uh places including Intel so
10
00:00:23,359 --> 00:00:28,160
you're a seasoned veteran of of
11
00:00:25,199 --> 00:00:30,679
information security um and we're here
12
00:00:28,160 --> 00:00:33,399
today to talk about the n cyber security
13
00:00:30,679 --> 00:00:35,879
framework version two um it's almost
14
00:00:33,399 --> 00:00:38,320
like a 10-year upgrade on the original
15
00:00:35,879 --> 00:00:39,879
framework which was more like a a
16
00:00:38,320 --> 00:00:43,079
pre-flight checklist I would
17
00:00:39,879 --> 00:00:45,160
characterize it um a mechanism for
18
00:00:43,079 --> 00:00:47,120
improvement in organizations but the
19
00:00:45,160 --> 00:00:50,039
version true to Aims to be a little bit
20
00:00:47,120 --> 00:00:53,160
more than that it's it's got upgrades in
21
00:00:50,039 --> 00:00:55,239
it great uh and uh but it is I mean it
22
00:00:53,160 --> 00:00:57,440
is more complex it is a big pill to
23
00:00:55,239 --> 00:01:00,280
swallow so maybe that's the the topic
24
00:00:57,440 --> 00:01:02,280
we're here to talk about today is uh you
25
00:01:00,280 --> 00:01:04,239
know how do we take this framework into
26
00:01:02,280 --> 00:01:07,600
use without it swallowing the whole
27
00:01:04,239 --> 00:01:11,159
company uh as a whole so here are our
28
00:01:07,600 --> 00:01:13,479
guests and and speakers today and um
29
00:01:11,159 --> 00:01:15,759
yeah so without further Ado I guess the
30
00:01:13,479 --> 00:01:17,600
the first question is is what are the
31
00:01:15,759 --> 00:01:21,000
the downsides of this like what should
32
00:01:17,600 --> 00:01:23,159
we tell people to sort of watch out for
33
00:01:21,000 --> 00:01:25,119
when they wait into uh cyber security
34
00:01:23,159 --> 00:01:28,439
framework version
35
00:01:25,119 --> 00:01:30,159
two well I I can take that one first so
36
00:01:28,439 --> 00:01:32,240
I believe you already mentioned a first
37
00:01:30,159 --> 00:01:34,799
one I mean getting the organization
38
00:01:32,240 --> 00:01:36,520
swallowed as a whole for instance
39
00:01:34,799 --> 00:01:39,040
because if you're the type of
40
00:01:36,520 --> 00:01:41,479
organization uh for instance it's just
41
00:01:39,040 --> 00:01:45,079
looking now at a framework that could
42
00:01:41,479 --> 00:01:47,399
help you out I mean n n to has some
43
00:01:45,079 --> 00:01:50,040
really good things in it but it can be
44
00:01:47,399 --> 00:01:52,600
quite big and especially the new
45
00:01:50,040 --> 00:01:55,040
function govern there's a lot about it
46
00:01:52,600 --> 00:01:57,360
that encompasses the different areas of
47
00:01:55,040 --> 00:02:00,159
the whole organization so it becomes a
48
00:01:57,360 --> 00:02:02,759
question of where to begin how do you
49
00:02:00,159 --> 00:02:05,560
approach it so that it doesn't become
50
00:02:02,759 --> 00:02:07,520
something bigger than what it should be
51
00:02:05,560 --> 00:02:09,399
and it should serve your organization
52
00:02:07,520 --> 00:02:11,720
not that your organization ends up
53
00:02:09,399 --> 00:02:14,760
serving the framework
54
00:02:11,720 --> 00:02:17,400
itself yeah so the framework was
55
00:02:14,760 --> 00:02:20,200
originally created uh for critical
56
00:02:17,400 --> 00:02:22,280
infrastructure so it was originally
57
00:02:20,200 --> 00:02:26,000
intended for larger organizations for
58
00:02:22,280 --> 00:02:29,840
governments to understand how mature and
59
00:02:26,000 --> 00:02:31,440
whether they have a good grasp from a
60
00:02:29,840 --> 00:02:34,920
comprehensive and consistency
61
00:02:31,440 --> 00:02:37,440
perspective of their cyber risks but the
62
00:02:34,920 --> 00:02:40,200
industry has needed it at all levels and
63
00:02:37,440 --> 00:02:42,120
so it has evolved from just that
64
00:02:40,200 --> 00:02:45,239
government and critical infrastructure
65
00:02:42,120 --> 00:02:47,840
kind of sector to be a tool that can be
66
00:02:45,239 --> 00:02:50,280
used at any level small businesses
67
00:02:47,840 --> 00:02:53,000
median businesses large companies uh you
68
00:02:50,280 --> 00:02:56,440
know corporations governments it's a
69
00:02:53,000 --> 00:02:58,720
great tool but like any good tool you
70
00:02:56,440 --> 00:03:00,879
have to use it well if you're not using
71
00:02:58,720 --> 00:03:03,440
it the way it should should be there can
72
00:03:00,879 --> 00:03:06,080
be some downsides and that could be a
73
00:03:03,440 --> 00:03:08,560
detriment it can draw away from the
74
00:03:06,080 --> 00:03:10,239
resources that you need to use elsewhere
75
00:03:08,560 --> 00:03:12,599
so again there needs to be a better
76
00:03:10,239 --> 00:03:15,080
understanding on its applicability its
77
00:03:12,599 --> 00:03:17,319
use where it fits correctly and for
78
00:03:15,080 --> 00:03:20,120
every organization they're the one that
79
00:03:17,319 --> 00:03:23,000
has to determine it so there are some
80
00:03:20,120 --> 00:03:24,760
interesting challenges uh with both the
81
00:03:23,000 --> 00:03:27,200
previous framework as well as the
82
00:03:24,760 --> 00:03:30,560
current one so so who's this for like is
83
00:03:27,200 --> 00:03:32,239
it very labor intensive resource h like
84
00:03:30,560 --> 00:03:34,760
what SES of a company do you need to be
85
00:03:32,239 --> 00:03:37,920
for this to be a benefit to you I think
86
00:03:34,760 --> 00:03:40,680
every company can benefit from this type
87
00:03:37,920 --> 00:03:43,720
of capability because again it gives you
88
00:03:40,680 --> 00:03:46,439
that insight to say I need to look at
89
00:03:43,720 --> 00:03:48,519
all of these areas now for a small
90
00:03:46,439 --> 00:03:50,200
company it may just be looking a little
91
00:03:48,519 --> 00:03:52,680
bit and some areas may not be as
92
00:03:50,200 --> 00:03:54,560
important as others and for a larger
93
00:03:52,680 --> 00:03:57,280
organization maybe with more threats
94
00:03:54,560 --> 00:04:00,239
more risks more assets they need to take
95
00:03:57,280 --> 00:04:03,200
a much deeper approach a more thorough
96
00:04:00,239 --> 00:04:05,159
approach to these different areas but
97
00:04:03,200 --> 00:04:07,079
again you got to see the big picture
98
00:04:05,159 --> 00:04:08,840
first before you can understand how
99
00:04:07,079 --> 00:04:10,640
you're going to apply it and how deep
100
00:04:08,840 --> 00:04:13,560
you're going to go down the rabbit
101
00:04:10,640 --> 00:04:15,400
hole it's actually pretty good if we
102
00:04:13,560 --> 00:04:17,639
take a look at this a little bit like a
103
00:04:15,400 --> 00:04:19,840
mirror for instance in an organization
104
00:04:17,639 --> 00:04:21,519
and not something that is a prescription
105
00:04:19,840 --> 00:04:24,080
that this is how exactly you should do
106
00:04:21,519 --> 00:04:25,759
it because um as Matthew mentioned
107
00:04:24,080 --> 00:04:29,039
different organizations have different
108
00:04:25,759 --> 00:04:31,039
needs and at times if we look at this um
109
00:04:29,039 --> 00:04:33,199
like a survey tool or a mirror that say
110
00:04:31,039 --> 00:04:35,440
okay these are the areas where it looks
111
00:04:33,199 --> 00:04:38,080
like we are already doing well and these
112
00:04:35,440 --> 00:04:39,880
are the areas that there could still be
113
00:04:38,080 --> 00:04:42,520
some improvements and this is an area
114
00:04:39,880 --> 00:04:44,680
where there's really a gaping hole then
115
00:04:42,520 --> 00:04:47,080
you now know where are the areas that
116
00:04:44,680 --> 00:04:49,000
you could address first to get somewhere
117
00:04:47,080 --> 00:04:51,759
but if it becomes a prescription tool
118
00:04:49,000 --> 00:04:54,280
then it becomes sort of like a burden to
119
00:04:51,759 --> 00:04:56,560
the organization to comply with areas
120
00:04:54,280 --> 00:04:59,160
that maybe they don't really need that
121
00:04:56,560 --> 00:05:02,600
much M yeah and and you bring up a great
122
00:04:59,160 --> 00:05:04,520
point cuz I I like the mirror analogy um
123
00:05:02,600 --> 00:05:07,280
the NIS tool is about looking at
124
00:05:04,520 --> 00:05:08,840
yourself it's about evaluating what you
125
00:05:07,280 --> 00:05:11,080
need and where you're at now and where
126
00:05:08,840 --> 00:05:12,880
you want to go it's different than like
127
00:05:11,080 --> 00:05:13,960
an ISO certification or a sock 2
128
00:05:12,880 --> 00:05:16,720
certification where you're going to
129
00:05:13,960 --> 00:05:19,720
bring an outside party in to audit you
130
00:05:16,720 --> 00:05:21,800
and it's their list that's important in
131
00:05:19,720 --> 00:05:24,120
this case it's really about you your
132
00:05:21,800 --> 00:05:26,600
organization what you feel is important
133
00:05:24,120 --> 00:05:28,199
and that's how you use it typically for
134
00:05:26,600 --> 00:05:30,280
managing incremental changes in the
135
00:05:28,199 --> 00:05:32,680
direction you want to go so it very much
136
00:05:30,280 --> 00:05:34,560
is a mirror you're looking at yourself
137
00:05:32,680 --> 00:05:36,280
it's not other organizations or other
138
00:05:34,560 --> 00:05:38,840
standards coming in and looking at
139
00:05:36,280 --> 00:05:40,360
evaluating you so what if you don't like
140
00:05:38,840 --> 00:05:42,199
what you see in the mirror like is this
141
00:05:40,360 --> 00:05:44,960
going to be a stick for the boards to
142
00:05:42,199 --> 00:05:46,120
beat up the ciso with well first things
143
00:05:44,960 --> 00:05:48,960
first you're the one looking at the
144
00:05:46,120 --> 00:05:52,479
mirror not them so well but jokes aside
145
00:05:48,960 --> 00:05:54,960
I mean there is a tendency um like s so
146
00:05:52,479 --> 00:05:58,160
that the boards would look at this as a
147
00:05:54,960 --> 00:06:00,880
checklist or could potentially ask you
148
00:05:58,160 --> 00:06:03,360
to there I say Benchmark your
149
00:06:00,880 --> 00:06:06,800
organization versus others when it comes
150
00:06:03,360 --> 00:06:09,319
to this and as a mirror this is not
151
00:06:06,800 --> 00:06:11,120
really the tool for that like as Matthew
152
00:06:09,319 --> 00:06:12,840
mentioned this is about helping
153
00:06:11,120 --> 00:06:15,919
organizations especially in the critical
154
00:06:12,840 --> 00:06:18,319
infrastructure at the beginning to get
155
00:06:15,919 --> 00:06:20,440
somewhere where their security posture
156
00:06:18,319 --> 00:06:23,199
would be much better than where it is
157
00:06:20,440 --> 00:06:26,639
but if you now start comparing your
158
00:06:23,199 --> 00:06:28,599
organization versus another and seeing
159
00:06:26,639 --> 00:06:31,800
that the calibrations that you actually
160
00:06:28,599 --> 00:06:34,440
look you can't compare them one is to
161
00:06:31,800 --> 00:06:35,800
one because you're evaluating them from
162
00:06:34,440 --> 00:06:39,000
different
163
00:06:35,800 --> 00:06:41,440
perspectives so they there's a tendency
164
00:06:39,000 --> 00:06:43,479
there's a there's a potential downside
165
00:06:41,440 --> 00:06:46,479
if it's going to be viewed that way but
166
00:06:43,479 --> 00:06:49,080
if we keep to the mirror if we keep to
167
00:06:46,479 --> 00:06:50,800
thinking about this as areas where do I
168
00:06:49,080 --> 00:06:53,440
prioritize how do I improve where are
169
00:06:50,800 --> 00:06:55,479
the areas where I should care more now
170
00:06:53,440 --> 00:06:58,560
versus the future then this can be a
171
00:06:55,479 --> 00:07:00,560
very helpful tool okay yeah I I would
172
00:06:58,560 --> 00:07:03,479
even go further and say it's a fatal
173
00:07:00,560 --> 00:07:05,440
mistake if you're going to be using your
174
00:07:03,479 --> 00:07:07,759
calculated results and try and compare
175
00:07:05,440 --> 00:07:10,000
it to another organization again this is
176
00:07:07,759 --> 00:07:12,520
about what you feel is important and
177
00:07:10,000 --> 00:07:15,160
another organization May measure that
178
00:07:12,520 --> 00:07:17,520
differently for their so it's not an
179
00:07:15,160 --> 00:07:19,520
Apples to Apples comparison unlike some
180
00:07:17,520 --> 00:07:21,160
of the other standards out there where
181
00:07:19,520 --> 00:07:22,879
again it's a standard checklist and
182
00:07:21,160 --> 00:07:25,280
they're going to go through things so
183
00:07:22,879 --> 00:07:27,440
it's a fatal mistake if if your board is
184
00:07:25,280 --> 00:07:29,400
going down that path to say how do we
185
00:07:27,440 --> 00:07:31,520
compare this is the wrong tool for that
186
00:07:29,400 --> 00:07:35,000
there are other tools for that but it's
187
00:07:31,520 --> 00:07:37,240
a great tool to say okay how have we
188
00:07:35,000 --> 00:07:39,639
improved in the areas we wanted to since
189
00:07:37,240 --> 00:07:41,960
the last time you came in it's a great
190
00:07:39,639 --> 00:07:44,479
tool for that and that's where we see
191
00:07:41,960 --> 00:07:46,599
the big value um but if you're trying to
192
00:07:44,479 --> 00:07:48,720
compare to other organizations it's a
193
00:07:46,599 --> 00:07:51,199
fatal mistake bad things will happen
194
00:07:48,720 --> 00:07:54,120
guaranteed right so while we're still on
195
00:07:51,199 --> 00:07:56,120
the on the pitfalls do they change based
196
00:07:54,120 --> 00:07:59,919
on your location whether you're in the
197
00:07:56,120 --> 00:08:02,280
US or the EU or things like that
198
00:07:59,919 --> 00:08:04,520
to be honest no I mean looking at the
199
00:08:02,280 --> 00:08:06,440
framework and thinking about the
200
00:08:04,520 --> 00:08:10,080
different subcategories they are
201
00:08:06,440 --> 00:08:12,639
actually generic enough to be globally
202
00:08:10,080 --> 00:08:14,800
applicable and from a cyber security
203
00:08:12,639 --> 00:08:17,599
perspective there there I say the word
204
00:08:14,800 --> 00:08:19,479
that they're actually cyber Common Sense
205
00:08:17,599 --> 00:08:22,240
essentially that is distilled into
206
00:08:19,479 --> 00:08:24,919
different areas that you can take a look
207
00:08:22,240 --> 00:08:26,919
at in the context of your organization
208
00:08:24,919 --> 00:08:28,680
yeah you know so when you do figure out
209
00:08:26,919 --> 00:08:30,080
okay what's most applicable to me you
210
00:08:28,680 --> 00:08:33,880
may have
211
00:08:30,080 --> 00:08:35,279
a recommendation for data security you
212
00:08:33,880 --> 00:08:38,399
know are you meeting Regulatory
213
00:08:35,279 --> 00:08:41,200
Compliance now the regulatory you know
214
00:08:38,399 --> 00:08:44,080
environment may be different Europe to
215
00:08:41,200 --> 00:08:46,040
Asia to North America and so forth but
216
00:08:44,080 --> 00:08:49,399
the framework itself is staying at that
217
00:08:46,040 --> 00:08:50,800
higher level of are you compliant with
218
00:08:49,399 --> 00:08:54,240
you know this is an area you need to
219
00:08:50,800 --> 00:08:56,080
look at so the framework itself I think
220
00:08:54,240 --> 00:08:58,240
it applies equally to to all different
221
00:08:56,080 --> 00:08:59,600
regions how you interpret it that's
222
00:08:58,240 --> 00:09:01,959
going to be a little bit different based
223
00:08:59,600 --> 00:09:03,640
on where you operate and and what other
224
00:09:01,959 --> 00:09:06,399
requirements there are that you're
225
00:09:03,640 --> 00:09:09,240
trying to meet okay uh we're going to do
226
00:09:06,399 --> 00:09:12,399
an audience poll right now um uh so the
227
00:09:09,240 --> 00:09:14,959
question is um are you planning to use
228
00:09:12,399 --> 00:09:17,560
cyber security framework version two in
229
00:09:14,959 --> 00:09:20,600
in 2024 so are you going to be one of
230
00:09:17,560 --> 00:09:22,399
those early adopters of this so uh the
231
00:09:20,600 --> 00:09:24,120
question is going to pop up here and and
232
00:09:22,399 --> 00:09:25,720
you can just uh click on your answer
233
00:09:24,120 --> 00:09:27,920
we'll give you a bit of time to to
234
00:09:25,720 --> 00:09:30,279
answer that and I actually have an
235
00:09:27,920 --> 00:09:33,079
audience question uh that we can we can
236
00:09:30,279 --> 00:09:35,200
talk about while we wait um the question
237
00:09:33,079 --> 00:09:36,600
is this I will be interested to hear
238
00:09:35,200 --> 00:09:38,320
what the panel thinks about cyber
239
00:09:36,600 --> 00:09:40,680
security framework to and how it can be
240
00:09:38,320 --> 00:09:43,800
applied to new European regulations like
241
00:09:40,680 --> 00:09:45,760
the NIS 2 so we're seeing more reg
242
00:09:43,800 --> 00:09:49,120
regulatory load on smaller companies in
243
00:09:45,760 --> 00:09:50,760
the EU and in the US um how can it help
244
00:09:49,120 --> 00:09:52,360
especially if we need to comply in
245
00:09:50,760 --> 00:09:54,640
different
246
00:09:52,360 --> 00:09:56,959
regions maybe I could take a first tab
247
00:09:54,640 --> 00:09:58,800
at that I mean some of the requirements
248
00:09:56,959 --> 00:10:01,160
in the new regulations that are coming
249
00:09:58,800 --> 00:10:03,720
in for instance in the European Union
250
00:10:01,160 --> 00:10:06,040
there are stuff there related to
251
00:10:03,720 --> 00:10:08,640
vulnerabilities related to security of
252
00:10:06,040 --> 00:10:11,200
your data at rest in transit that
253
00:10:08,640 --> 00:10:15,160
actually have specific subcategories in
254
00:10:11,200 --> 00:10:18,560
the N to so definitely it can be helpful
255
00:10:15,160 --> 00:10:20,600
now I wouldn't map them one is to one
256
00:10:18,560 --> 00:10:23,399
obviously you need to look at the
257
00:10:20,600 --> 00:10:26,200
regulatory Frameworks but what is also
258
00:10:23,399 --> 00:10:29,200
stated in some of the subcategories in
259
00:10:26,200 --> 00:10:31,440
um n to is exactly what Matthew said
260
00:10:29,200 --> 00:10:34,000
there is a part there talking about the
261
00:10:31,440 --> 00:10:37,720
regulations in your area which means
262
00:10:34,000 --> 00:10:40,040
that in so looking at the n two then you
263
00:10:37,720 --> 00:10:41,839
are then required as well to look at the
264
00:10:40,040 --> 00:10:45,040
different regulations where you operate
265
00:10:41,839 --> 00:10:49,399
at okay shall we see what the the poll
266
00:10:45,040 --> 00:10:52,800
says um 25% of the respondents say they
267
00:10:49,399 --> 00:10:56,800
are going to be using csf2 in
268
00:10:52,800 --> 00:10:58,839
2024 14 and some are saying no and
269
00:10:56,800 --> 00:11:00,040
undecided still 60 what do you guys
270
00:10:58,839 --> 00:11:02,959
think
271
00:11:00,040 --> 00:11:05,040
it's it's not surprising to me right um
272
00:11:02,959 --> 00:11:08,839
you've got people that aren't currently
273
00:11:05,040 --> 00:11:11,000
using this type of of maturity framework
274
00:11:08,839 --> 00:11:12,760
so they have to decide do I go to 1. one
275
00:11:11,000 --> 00:11:14,560
do I really want to jump into two I
276
00:11:12,760 --> 00:11:16,160
don't know if I even want anything
277
00:11:14,560 --> 00:11:19,440
you've got people that are currently
278
00:11:16,160 --> 00:11:20,839
using version 1.1 and they have to
279
00:11:19,440 --> 00:11:23,160
decide do I want to allocate the
280
00:11:20,839 --> 00:11:25,000
resources to migrate to version 2
281
00:11:23,160 --> 00:11:27,880
because there's a cost to it there
282
00:11:25,000 --> 00:11:30,800
absolutely is a cost uh and then you've
283
00:11:27,880 --> 00:11:33,760
got people that are you know hey I'm I'm
284
00:11:30,800 --> 00:11:36,680
I've decided I'm going to 2.0 but now I
285
00:11:33,760 --> 00:11:38,800
need to figure out how much effort am I
286
00:11:36,680 --> 00:11:40,880
going to allocate towards this CU it can
287
00:11:38,800 --> 00:11:42,839
be a deep hole if you want it or it can
288
00:11:40,880 --> 00:11:45,120
be shallow depends on what your needs
289
00:11:42,839 --> 00:11:47,360
all right well let's talk about some of
290
00:11:45,120 --> 00:11:49,600
the good things about this I didn't give
291
00:11:47,360 --> 00:11:51,920
you an answer to a moment to answer the
292
00:11:49,600 --> 00:11:53,839
the n 2 question but is it good that
293
00:11:51,920 --> 00:11:56,200
this is coming out at the same time or
294
00:11:53,839 --> 00:11:58,959
is it is it bad I think it's good I like
295
00:11:56,200 --> 00:12:00,839
the update right uh one. came out what
296
00:11:58,959 --> 00:12:04,880
eight years ago 9 years ago somewhere
297
00:12:00,839 --> 00:12:08,920
around there um 1.1 then came out we're
298
00:12:04,880 --> 00:12:12,440
seeing a fundamental change an in an
299
00:12:08,920 --> 00:12:14,320
advancement if you will in what the
300
00:12:12,440 --> 00:12:16,360
framework is and it's calling out
301
00:12:14,320 --> 00:12:19,240
specific things that are more relevant
302
00:12:16,360 --> 00:12:21,399
today than what they were and a good
303
00:12:19,240 --> 00:12:24,199
example is third party supply chain
304
00:12:21,399 --> 00:12:26,760
those risks the industry wasn't talking
305
00:12:24,199 --> 00:12:28,079
about it nine years ago it it was
306
00:12:26,760 --> 00:12:30,519
important we didn't know it was
307
00:12:28,079 --> 00:12:33,040
important yeah so now we know it's
308
00:12:30,519 --> 00:12:35,399
important we know it's a growth area the
309
00:12:33,040 --> 00:12:38,240
governance around all of that is very
310
00:12:35,399 --> 00:12:40,680
important and so this model is
311
00:12:38,240 --> 00:12:43,279
reflecting that is it perfect in all
312
00:12:40,680 --> 00:12:45,240
ways no I'm sure we'll get into that but
313
00:12:43,279 --> 00:12:47,680
the fact that it's calling out some of
314
00:12:45,240 --> 00:12:49,920
the more important things and things
315
00:12:47,680 --> 00:12:53,440
that maybe I won't say neglected but
316
00:12:49,920 --> 00:12:55,600
maybe we haven't efforted as much in the
317
00:12:53,440 --> 00:12:58,560
past it brings attention to it and I
318
00:12:55,600 --> 00:13:01,160
think that helps and to add to that I
319
00:12:58,560 --> 00:13:03,320
actually like that it's a bit more
320
00:13:01,160 --> 00:13:06,680
modernized and attuned to the times for
321
00:13:03,320 --> 00:13:09,199
instance uh version 1.1 mentions about
322
00:13:06,680 --> 00:13:10,760
malicious code but now threats are more
323
00:13:09,199 --> 00:13:12,839
generalized because when it comes to
324
00:13:10,760 --> 00:13:15,040
threats we're not just talking about
325
00:13:12,839 --> 00:13:18,000
malicious code and when we're talking
326
00:13:15,040 --> 00:13:19,600
about data then you protect it a trust
327
00:13:18,000 --> 00:13:21,199
in transit but now it's all about
328
00:13:19,600 --> 00:13:22,600
protecting it while you're doing the
329
00:13:21,199 --> 00:13:26,079
processing because of course that's
330
00:13:22,600 --> 00:13:28,240
important as well so it has definitely
331
00:13:26,079 --> 00:13:30,720
modernized even the language as well in
332
00:13:28,240 --> 00:13:34,320
the context of the technologies that we
333
00:13:30,720 --> 00:13:36,279
are also using today so I asked you guys
334
00:13:34,320 --> 00:13:38,279
earlier about whether this is a stick to
335
00:13:36,279 --> 00:13:40,320
be the cisos with but turning that
336
00:13:38,279 --> 00:13:42,120
around is this is this a way to sort of
337
00:13:40,320 --> 00:13:43,920
steer the conversations that board
338
00:13:42,120 --> 00:13:45,800
members are having with the cesos is
339
00:13:43,920 --> 00:13:49,639
this sort of the common language and way
340
00:13:45,800 --> 00:13:53,040
to focus their attention on on the right
341
00:13:49,639 --> 00:13:56,440
things well there are areas where it can
342
00:13:53,040 --> 00:13:59,040
help but it can also become
343
00:13:56,440 --> 00:14:01,839
distracting uh if I would be using using
344
00:13:59,040 --> 00:14:05,160
this in a board I would only be using
345
00:14:01,839 --> 00:14:08,040
this to measure where we are now versus
346
00:14:05,160 --> 00:14:10,639
where we were before right and I would
347
00:14:08,040 --> 00:14:12,880
definitely stop this from using being
348
00:14:10,639 --> 00:14:15,160
used as a benchmark and I would stop
349
00:14:12,880 --> 00:14:18,279
this from being used as a deep dive into
350
00:14:15,160 --> 00:14:21,680
individual details because it can show
351
00:14:18,279 --> 00:14:24,040
for instance um how we are changing our
352
00:14:21,680 --> 00:14:26,320
posture based on the organization's risk
353
00:14:24,040 --> 00:14:28,959
appetite and in our organization's
354
00:14:26,320 --> 00:14:31,040
context but it shouldn't go beyond that
355
00:14:28,959 --> 00:14:33,560
in the context of the board right no I
356
00:14:31,040 --> 00:14:36,959
was more talking about like um you know
357
00:14:33,560 --> 00:14:38,759
this uh framework covers specific areas
358
00:14:36,959 --> 00:14:40,480
so would those be areas that you would
359
00:14:38,759 --> 00:14:43,560
try to talk to your board with sort of
360
00:14:40,480 --> 00:14:45,399
cover all of them at some point and just
361
00:14:43,560 --> 00:14:47,959
uh you know establish that common
362
00:14:45,399 --> 00:14:50,959
vocabulary well typically they would be
363
00:14:47,959 --> 00:14:53,480
interested um a lot on the governance
364
00:14:50,959 --> 00:14:55,480
right and uh how things have changed but
365
00:14:53,480 --> 00:14:58,279
when I go now to the protect detect
366
00:14:55,480 --> 00:15:00,920
respond I think I would lose them if I
367
00:14:58,279 --> 00:15:03,279
talk about details because it these are
368
00:15:00,920 --> 00:15:07,320
the areas that can get slightly
369
00:15:03,279 --> 00:15:11,680
technical unfortunately yeah yeah I I
370
00:15:07,320 --> 00:15:14,920
think the the NIS framework there is a
371
00:15:11,680 --> 00:15:16,720
great tool for Security leaders to
372
00:15:14,920 --> 00:15:18,759
understand these are potential areas
373
00:15:16,720 --> 00:15:23,079
that I do need to cover but every
374
00:15:18,759 --> 00:15:24,399
audience is different and the board is
375
00:15:23,079 --> 00:15:26,240
probably going to focus on on the
376
00:15:24,399 --> 00:15:29,040
governance that's a great place to
377
00:15:26,240 --> 00:15:32,160
discuss with the board but a different
378
00:15:29,040 --> 00:15:34,360
audience um the ceso or whoever is the
379
00:15:32,160 --> 00:15:36,920
the leader of security they may want to
380
00:15:34,360 --> 00:15:39,079
go into more depth but what it provides
381
00:15:36,920 --> 00:15:41,600
them is they see the bigger picture
382
00:15:39,079 --> 00:15:43,759
these are potential areas that I do need
383
00:15:41,600 --> 00:15:47,480
to discuss and whether it's at the
384
00:15:43,759 --> 00:15:50,440
highest level of identifier protector or
385
00:15:47,480 --> 00:15:53,920
a level or two down from that it gives
386
00:15:50,440 --> 00:15:56,160
them a body a breadth of topics that
387
00:15:53,920 --> 00:15:58,160
they should be covering or think about
388
00:15:56,160 --> 00:15:59,399
covering that's most pertinent to their
389
00:15:58,160 --> 00:16:01,120
organization
390
00:15:59,399 --> 00:16:03,440
so instead of going in with the same
391
00:16:01,120 --> 00:16:07,800
slide Deck with the board as you would
392
00:16:03,440 --> 00:16:10,000
with the the customers or a supplier or
393
00:16:07,800 --> 00:16:11,759
um you know Frontline management you
394
00:16:10,000 --> 00:16:13,079
realize okay there's there's different
395
00:16:11,759 --> 00:16:15,959
conversations you're going to have but
396
00:16:13,079 --> 00:16:18,560
at least this covers that scope to be
397
00:16:15,959 --> 00:16:22,759
able to to draw from so I like it from
398
00:16:18,560 --> 00:16:26,319
that perspective all right um let's do
399
00:16:22,759 --> 00:16:28,920
another poll um so the question is has
400
00:16:26,319 --> 00:16:31,160
your board or SE Suite uh raised any
401
00:16:28,920 --> 00:16:32,959
questions about this uh framework have
402
00:16:31,160 --> 00:16:36,079
they heard about it have they approached
403
00:16:32,959 --> 00:16:37,680
you uh as a security practioner about
404
00:16:36,079 --> 00:16:40,680
the uh the
405
00:16:37,680 --> 00:16:44,079
framework so that's the poll um we have
406
00:16:40,680 --> 00:16:48,279
a couple of incoming questions about ISO
407
00:16:44,079 --> 00:16:49,839
2701 um so basically the question around
408
00:16:48,279 --> 00:16:51,560
this a word a little bit differently but
409
00:16:49,839 --> 00:16:55,519
basically the question is if you're
410
00:16:51,560 --> 00:16:58,040
already uh applying that framework is it
411
00:16:55,519 --> 00:16:59,680
necessary to apply or even familiarize
412
00:16:58,040 --> 00:17:01,360
yourself with the with the cyber
413
00:16:59,680 --> 00:17:03,040
security framework too is does it add
414
00:17:01,360 --> 00:17:03,839
anything does it bring anything new into
415
00:17:03,040 --> 00:17:07,559
the
416
00:17:03,839 --> 00:17:09,720
picture well the iso 27 Z1 a lot about
417
00:17:07,559 --> 00:17:11,199
it is about establishing your
418
00:17:09,720 --> 00:17:13,120
information security Management in the
419
00:17:11,199 --> 00:17:15,199
organization like your policies and
420
00:17:13,120 --> 00:17:19,799
implementation of that and then getting
421
00:17:15,199 --> 00:17:22,720
audited for that uh it's well I would
422
00:17:19,799 --> 00:17:26,319
say that externally it's a very good
423
00:17:22,720 --> 00:17:28,199
Benchmark but there's also a possibility
424
00:17:26,319 --> 00:17:30,280
and um of course because you're audited
425
00:17:28,199 --> 00:17:32,880
in the context of the policies that you
426
00:17:30,280 --> 00:17:36,840
create so there there's also a tendency
427
00:17:32,880 --> 00:17:38,919
to optimize for those policies and um
428
00:17:36,840 --> 00:17:40,400
and I hate to say it but at times I mean
429
00:17:38,919 --> 00:17:42,160
of course when when different
430
00:17:40,400 --> 00:17:44,559
organizations optimize for those
431
00:17:42,160 --> 00:17:47,160
policies it doesn't become a mirror
432
00:17:44,559 --> 00:17:50,679
anymore it doesn't become an evaluation
433
00:17:47,160 --> 00:17:52,520
of the reality anymore on the ground and
434
00:17:50,679 --> 00:17:55,039
it's a picture you printed on your
435
00:17:52,520 --> 00:17:57,880
mirror yes and it's a picture that you
436
00:17:55,039 --> 00:18:00,280
show externally exactly so um the the
437
00:17:57,880 --> 00:18:02,559
beauty of having the N to and having
438
00:18:00,280 --> 00:18:04,679
this as an internal tool to look into
439
00:18:02,559 --> 00:18:07,840
yourself is that I believe that it gives
440
00:18:04,679 --> 00:18:10,559
you a very honest evaluation of yourself
441
00:18:07,840 --> 00:18:14,120
if you Lo if you use it as such and the
442
00:18:10,559 --> 00:18:18,120
iso 27001 is then an external validation
443
00:18:14,120 --> 00:18:21,159
of the areas that based on your policies
444
00:18:18,120 --> 00:18:23,200
then the Auditors are able to validate
445
00:18:21,159 --> 00:18:25,159
right does that make make sense to you
446
00:18:23,200 --> 00:18:27,640
it it absolutely does right when you
447
00:18:25,159 --> 00:18:30,120
look at the the ISO standards or socks
448
00:18:27,640 --> 00:18:32,480
two standards or whatnot you're looking
449
00:18:30,120 --> 00:18:33,840
from the outside in and that's very
450
00:18:32,480 --> 00:18:37,200
important and it can be very very
451
00:18:33,840 --> 00:18:39,120
prescriptive when you're using the N CSF
452
00:18:37,200 --> 00:18:41,400
it's that internal let me look at my
453
00:18:39,120 --> 00:18:43,360
mirror and the emphasis that you're
454
00:18:41,400 --> 00:18:44,720
going to place on it is what's most
455
00:18:43,360 --> 00:18:47,280
relevant to
456
00:18:44,720 --> 00:18:49,320
me that's where you start looking at the
457
00:18:47,280 --> 00:18:51,240
prioritization when you're looking at
458
00:18:49,320 --> 00:18:52,880
the iso you're looking at more of a
459
00:18:51,240 --> 00:18:56,280
checklist I need to get this done it's
460
00:18:52,880 --> 00:18:59,640
all got to get done yes yes yes but the
461
00:18:56,280 --> 00:19:01,799
N gives you a more personalized
462
00:18:59,640 --> 00:19:04,159
potentially if if you're using it well a
463
00:19:01,799 --> 00:19:07,200
more personalized
464
00:19:04,159 --> 00:19:08,880
introspective and that may enable you to
465
00:19:07,200 --> 00:19:10,400
generate the right conversations to get
466
00:19:08,880 --> 00:19:13,240
the right support to be able to
467
00:19:10,400 --> 00:19:16,320
articulate strategically where you want
468
00:19:13,240 --> 00:19:20,159
to invest for the different
469
00:19:16,320 --> 00:19:24,960
audiences okay let's see how our poll is
470
00:19:20,159 --> 00:19:27,000
doing uh 65% no so the uh the powers
471
00:19:24,960 --> 00:19:29,360
that be are not approaching csos and
472
00:19:27,000 --> 00:19:32,039
security managers about the framework
473
00:19:29,360 --> 00:19:34,919
are we surprised actually I'm surprised
474
00:19:32,039 --> 00:19:36,960
the 12% I know I was like are they
475
00:19:34,919 --> 00:19:38,799
asking what board member is going to be
476
00:19:36,960 --> 00:19:40,880
talking about this standard I'm
477
00:19:38,799 --> 00:19:45,440
impressed and you should be bigger now
478
00:19:40,880 --> 00:19:48,400
it's like 12.4 uh uhoh um maybe that's a
479
00:19:45,440 --> 00:19:50,400
reflection of boards are starting to get
480
00:19:48,400 --> 00:19:52,280
more Savvy and more aware which means
481
00:19:50,400 --> 00:19:55,120
their expectations for security are
482
00:19:52,280 --> 00:19:57,880
going up if they're starting to to talk
483
00:19:55,120 --> 00:19:59,080
about this standard at this stage at
484
00:19:57,880 --> 00:20:01,120
this stage
485
00:19:59,080 --> 00:20:02,760
it means which is a good thing I like
486
00:20:01,120 --> 00:20:05,120
this that boards are becom a little bit
487
00:20:02,760 --> 00:20:07,480
more Savvy they're thinking I need to be
488
00:20:05,120 --> 00:20:10,039
more aware okay what are some of these
489
00:20:07,480 --> 00:20:12,799
standards coming out so if you're the
490
00:20:10,039 --> 00:20:14,960
ceso you better get in front of this I
491
00:20:12,799 --> 00:20:16,720
know but like imagine if that's your
492
00:20:14,960 --> 00:20:18,120
board then you probably shouldn't be in
493
00:20:16,720 --> 00:20:19,679
the audit committee for 20 minutes
494
00:20:18,120 --> 00:20:22,679
you'll be there for an hour because they
495
00:20:19,679 --> 00:20:23,840
want to be disting more time um but
496
00:20:22,679 --> 00:20:25,200
they're also going to have expectations
497
00:20:23,840 --> 00:20:27,280
that you're going to have to manage
498
00:20:25,200 --> 00:20:30,080
better because again you don't want that
499
00:20:27,280 --> 00:20:33,760
question well how do we compare if that
500
00:20:30,080 --> 00:20:35,440
12% or now 133% is saying hey we want to
501
00:20:33,760 --> 00:20:37,520
use this as a benchmark to compare
502
00:20:35,440 --> 00:20:41,480
against other you need to start you need
503
00:20:37,520 --> 00:20:43,840
to kill that out early and so manage
504
00:20:41,480 --> 00:20:45,960
them in understanding what the purpose
505
00:20:43,840 --> 00:20:47,559
is how you're we're going to use it and
506
00:20:45,960 --> 00:20:49,360
things of that sort manage that
507
00:20:47,559 --> 00:20:51,080
conversation so what about those
508
00:20:49,360 --> 00:20:54,039
companies where that those conversations
509
00:20:51,080 --> 00:20:56,080
are not taking place right now um when
510
00:20:54,039 --> 00:20:58,559
this drops is it going to surprise the
511
00:20:56,080 --> 00:21:00,720
SE suite are they you know are they
512
00:20:58,559 --> 00:21:02,320
going to be surprised I have a feeling
513
00:21:00,720 --> 00:21:04,880
they wouldn't be I mean the SE Su is
514
00:21:02,320 --> 00:21:07,280
very much used to new benchmarks and
515
00:21:04,880 --> 00:21:09,240
things coming in every now and then so
516
00:21:07,280 --> 00:21:11,440
the question will most likely just
517
00:21:09,240 --> 00:21:13,200
Cascade down to the cesos then like you
518
00:21:11,440 --> 00:21:15,880
ciso figure it out what is it is it
519
00:21:13,200 --> 00:21:19,159
relevant for us and what does it mean
520
00:21:15,880 --> 00:21:21,400
right yeah okay um I do want to talk
521
00:21:19,159 --> 00:21:23,520
about recommendations and practical next
522
00:21:21,400 --> 00:21:25,679
steps and I would like the audience to
523
00:21:23,520 --> 00:21:27,799
participate as well so if you have any
524
00:21:25,679 --> 00:21:29,640
recommendations on how to approach this
525
00:21:27,799 --> 00:21:31,520
topic please put them in the the chat
526
00:21:29,640 --> 00:21:35,000
box and and and we'll take a look at
527
00:21:31,520 --> 00:21:37,320
those but but you um what are your
528
00:21:35,000 --> 00:21:39,559
suggestions on how to um how to for
529
00:21:37,320 --> 00:21:41,080
example implement this how to implement
530
00:21:39,559 --> 00:21:43,880
the measurements that are in the
531
00:21:41,080 --> 00:21:45,400
framework like how I typically approach
532
00:21:43,880 --> 00:21:48,480
this because I've also looked at the
533
00:21:45,400 --> 00:21:51,679
version 1.1 previously uh with my team
534
00:21:48,480 --> 00:21:53,200
and we turn this into a survey tool so
535
00:21:51,679 --> 00:21:55,000
somebody technical engineering
536
00:21:53,200 --> 00:21:57,360
background basically what we did was
537
00:21:55,000 --> 00:21:59,200
that we spread it out um the different
538
00:21:57,360 --> 00:22:01,559
subcategories into the different areas
539
00:21:59,200 --> 00:22:03,520
of the organization who knew about it
540
00:22:01,559 --> 00:22:05,400
and who knew about our security posture
541
00:22:03,520 --> 00:22:07,279
and then averaged sort of the imple
542
00:22:05,400 --> 00:22:10,480
implementation tier scoring and then it
543
00:22:07,279 --> 00:22:13,400
became our mirror um my take on this is
544
00:22:10,480 --> 00:22:15,919
I would do the same uh for next one use
545
00:22:13,400 --> 00:22:18,679
this as a survey tool and see if there
546
00:22:15,919 --> 00:22:21,679
are Stark differences or if there are
547
00:22:18,679 --> 00:22:24,000
areas where we have gaping holes because
548
00:22:21,679 --> 00:22:26,120
I mean I do like the different areas
549
00:22:24,000 --> 00:22:28,679
that it's tackling and I I would like to
550
00:22:26,120 --> 00:22:30,320
see where are the areas where we could
551
00:22:28,679 --> 00:22:32,279
potentially weakest at and then it
552
00:22:30,320 --> 00:22:35,360
matters to us so that would be my
553
00:22:32,279 --> 00:22:37,640
practical Next Step okay and I would say
554
00:22:35,360 --> 00:22:40,080
there's a decision that has to be made
555
00:22:37,640 --> 00:22:42,279
right you have to decide do you even
556
00:22:40,080 --> 00:22:44,919
want to go if you're using 1.1 for
557
00:22:42,279 --> 00:22:48,120
example and you're managing your
558
00:22:44,919 --> 00:22:50,000
security risk really well and you're
559
00:22:48,120 --> 00:22:52,039
doing your own internal governance and
560
00:22:50,000 --> 00:22:53,760
and everything is Flowing very well
561
00:22:52,039 --> 00:22:56,360
you've got all your metrics everything's
562
00:22:53,760 --> 00:22:58,760
aligned do you really need to go to
563
00:22:56,360 --> 00:23:00,960
version 2.0 again there's going to be a
564
00:22:58,760 --> 00:23:02,120
cost there's an engineering cost there's
565
00:23:00,960 --> 00:23:05,320
if you're going to use a vendor you're
566
00:23:02,120 --> 00:23:07,200
going to it could create disruption that
567
00:23:05,320 --> 00:23:09,840
maybe you don't need right
568
00:23:07,200 --> 00:23:11,679
now on the other hand if you're using
569
00:23:09,840 --> 00:23:14,120
one one and it isn't going so well or
570
00:23:11,679 --> 00:23:15,520
you're not using anything at all this
571
00:23:14,120 --> 00:23:18,159
may be a great
572
00:23:15,520 --> 00:23:20,880
opportunity because it may become more
573
00:23:18,159 --> 00:23:23,400
relevant for you it may return a lot on
574
00:23:20,880 --> 00:23:26,279
that investment but again you have to
575
00:23:23,400 --> 00:23:28,520
take a look at the tool it's not super
576
00:23:26,279 --> 00:23:30,279
prescriptive right you get to decide how
577
00:23:28,520 --> 00:23:34,679
you're going to use it you may tie it
578
00:23:30,279 --> 00:23:37,240
into um you know nist 853 or 171 to get
579
00:23:34,679 --> 00:23:39,559
more prescriptive but again you need to
580
00:23:37,240 --> 00:23:43,080
do that assessment it's worthwhile to
581
00:23:39,559 --> 00:23:45,440
take a look and see are the the Deltas
582
00:23:43,080 --> 00:23:47,360
right that uh gaps that can be closed
583
00:23:45,440 --> 00:23:49,440
and covered can you use this to to
584
00:23:47,360 --> 00:23:51,240
communicate better to be able to show
585
00:23:49,440 --> 00:23:53,799
value to be able to prioritize your
586
00:23:51,240 --> 00:23:57,240
resources or maybe even justify some of
587
00:23:53,799 --> 00:23:59,760
that investment to that 12% of the the
588
00:23:57,240 --> 00:24:02,360
the board that that see this there may
589
00:23:59,760 --> 00:24:04,120
be opportunities there right uh but you
590
00:24:02,360 --> 00:24:05,960
got to take a look at it and it really
591
00:24:04,120 --> 00:24:08,799
should come from the cyber security
592
00:24:05,960 --> 00:24:11,960
leadership see what opportunities are
593
00:24:08,799 --> 00:24:13,840
there so do we have practical advice on
594
00:24:11,960 --> 00:24:17,240
sort of how to have those conversations
595
00:24:13,840 --> 00:24:20,919
with the seu and get them on
596
00:24:17,240 --> 00:24:22,440
board well if you have done some surveys
597
00:24:20,919 --> 00:24:26,559
and let's say for example your
598
00:24:22,440 --> 00:24:28,200
organization is um in an area where
599
00:24:26,559 --> 00:24:30,320
potentially cyber security could be a
600
00:24:28,200 --> 00:24:32,440
competitive Advantage then that can be
601
00:24:30,320 --> 00:24:35,080
linked into conversations with a SE
602
00:24:32,440 --> 00:24:37,520
suite and if you have already seen where
603
00:24:35,080 --> 00:24:40,760
are the areas that have gaping holes and
604
00:24:37,520 --> 00:24:43,039
you'd like to seal those holes and use
605
00:24:40,760 --> 00:24:45,919
this framework as kind of like the
606
00:24:43,039 --> 00:24:47,760
initial guidance on how and where to
607
00:24:45,919 --> 00:24:50,919
start then yeah I think it can be a
608
00:24:47,760 --> 00:24:52,279
conversation starter okay yeah one of
609
00:24:50,919 --> 00:24:54,480
the strengths here is the addition of
610
00:24:52,279 --> 00:24:57,279
the the governance ring now in reality
611
00:24:54,480 --> 00:24:58,600
governance was always a part of cyber
612
00:24:57,279 --> 00:25:01,000
security management but this
613
00:24:58,600 --> 00:25:02,919
specifically calls it out and
614
00:25:01,000 --> 00:25:06,200
unfortunately in the firefighting that
615
00:25:02,919 --> 00:25:08,200
we do every day governance tends to be
616
00:25:06,200 --> 00:25:10,279
one of the last things we invest in we
617
00:25:08,200 --> 00:25:12,720
have to put the fires out that's what we
618
00:25:10,279 --> 00:25:15,399
have to do so you know establishing the
619
00:25:12,720 --> 00:25:17,919
governance and and sustainable processes
620
00:25:15,399 --> 00:25:20,520
and and making sure that over time it
621
00:25:17,919 --> 00:25:22,919
works and can be attested to that tends
622
00:25:20,520 --> 00:25:25,919
to fall behind so this may be an
623
00:25:22,919 --> 00:25:28,200
opportunity to bring that more to the
624
00:25:25,919 --> 00:25:31,000
Forefront because yes fire fighing is
625
00:25:28,200 --> 00:25:34,360
important but cyber security doesn't get
626
00:25:31,000 --> 00:25:37,000
solved it is a continual living process
627
00:25:34,360 --> 00:25:40,120
so making sure that you're investing in
628
00:25:37,000 --> 00:25:43,559
that which is what this new framework is
629
00:25:40,120 --> 00:25:45,520
in part trying to Showcase it's valuable
630
00:25:43,559 --> 00:25:47,440
and being able to throw that slide up
631
00:25:45,520 --> 00:25:49,520
with your partners or maybe even your
632
00:25:47,440 --> 00:25:52,000
board to say hey this ring this
633
00:25:49,520 --> 00:25:54,919
governance ring is something the
634
00:25:52,000 --> 00:25:57,760
industry says is important we're weak in
635
00:25:54,919 --> 00:26:00,120
it we want to we want to grow in that
636
00:25:57,760 --> 00:26:01,559
space and so we either need help or
637
00:26:00,120 --> 00:26:03,760
we're going to reallocate resources or
638
00:26:01,559 --> 00:26:06,399
we're going to prioritize but that can
639
00:26:03,760 --> 00:26:08,559
drive that conversation and potentially
640
00:26:06,399 --> 00:26:11,559
gain the necessary support to achieve
641
00:26:08,559 --> 00:26:12,919
your goals in that space it's okay for
642
00:26:11,559 --> 00:26:14,960
the cisos out there who are getting
643
00:26:12,919 --> 00:26:17,440
started with this should they sort of
644
00:26:14,960 --> 00:26:19,120
try to cover as much of it get their
645
00:26:17,440 --> 00:26:20,760
hands around as much of of the the
646
00:26:19,120 --> 00:26:22,919
framework different sections in it or
647
00:26:20,760 --> 00:26:25,320
should they just choose and sort of
648
00:26:22,919 --> 00:26:29,120
maybe dive deeper what's the
649
00:26:25,320 --> 00:26:30,320
advice my take is start with like in the
650
00:26:29,120 --> 00:26:33,760
Govern function there's an
651
00:26:30,320 --> 00:26:36,080
organizational context and um that would
652
00:26:33,760 --> 00:26:39,600
really be a very good place to sort
653
00:26:36,080 --> 00:26:41,880
because it puts it in the context well
654
00:26:39,600 --> 00:26:44,080
technically I mean of the organization
655
00:26:41,880 --> 00:26:46,200
and this would become a starting point
656
00:26:44,080 --> 00:26:48,720
for conversations for instance with a SE
657
00:26:46,200 --> 00:26:51,240
suite and then they can then link it
658
00:26:48,720 --> 00:26:54,240
with what are the business outcomes that
659
00:26:51,240 --> 00:26:57,840
cyber security should be protecting
660
00:26:54,240 --> 00:27:01,159
should be enabling for instance and if
661
00:26:57,840 --> 00:27:03,600
that is in place then everything else
662
00:27:01,159 --> 00:27:07,039
how to build a cyber security program
663
00:27:03,600 --> 00:27:08,720
could then Cascade from there so if
664
00:27:07,039 --> 00:27:12,000
there's any recommendation on where to
665
00:27:08,720 --> 00:27:14,240
start it would be to get that into place
666
00:27:12,000 --> 00:27:15,559
and have that agreed together with
667
00:27:14,240 --> 00:27:17,480
Executives in the
668
00:27:15,559 --> 00:27:20,080
organization I would go a different
669
00:27:17,480 --> 00:27:22,640
direction go for it go for it go for it
670
00:27:20,080 --> 00:27:24,600
it's a strategic document right so if
671
00:27:22,640 --> 00:27:26,520
you're the seeso security director and
672
00:27:24,600 --> 00:27:29,320
you're contemplating this I would
673
00:27:26,520 --> 00:27:31,919
recommend and I know it's not fun but
674
00:27:29,320 --> 00:27:34,000
sit down and read the entire document
675
00:27:31,919 --> 00:27:36,840
understand how these different areas
676
00:27:34,000 --> 00:27:39,559
work together because they do interlock
677
00:27:36,840 --> 00:27:41,320
they do cover each other so you need to
678
00:27:39,559 --> 00:27:43,200
kind of understand to see the value of
679
00:27:41,320 --> 00:27:47,600
it you need to understand that strategic
680
00:27:43,200 --> 00:27:48,799
picture and as you go through this um
681
00:27:47,600 --> 00:27:51,200
you're going to start making some kind
682
00:27:48,799 --> 00:27:53,159
of critical decisions of where are we
683
00:27:51,200 --> 00:27:55,480
strong where are we weak where should we
684
00:27:53,159 --> 00:27:58,240
invest where shouldn't we should we tie
685
00:27:55,480 --> 00:28:01,640
this to a more prescriptive uh set of
686
00:27:58,240 --> 00:28:03,279
questions you know like a nist 853 or
687
00:28:01,640 --> 00:28:06,760
something of that sort you're going to
688
00:28:03,279 --> 00:28:10,200
start to understand with your knowledge
689
00:28:06,760 --> 00:28:13,200
of your company and your risks where you
690
00:28:10,200 --> 00:28:15,440
can start seeing benefits and then how
691
00:28:13,200 --> 00:28:17,279
and and even if this is the right
692
00:28:15,440 --> 00:28:18,519
framework for you so I don't think
693
00:28:17,279 --> 00:28:21,240
you're going to see that just by looking
694
00:28:18,519 --> 00:28:24,120
at one section or just focusing see the
695
00:28:21,240 --> 00:28:27,840
big picture first and then go
696
00:28:24,120 --> 00:28:29,559
forward Okay so we've talked about how
697
00:28:27,840 --> 00:28:32,880
this is an internal tool it's the mirror
698
00:28:29,559 --> 00:28:36,159
you use to to look at yourself uh Focus
699
00:28:32,880 --> 00:28:38,240
inwards so should we at some point sort
700
00:28:36,159 --> 00:28:40,360
of try to map this information with that
701
00:28:38,240 --> 00:28:42,519
external view threat intelligence things
702
00:28:40,360 --> 00:28:44,799
like that or is that just a separate
703
00:28:42,519 --> 00:28:47,720
exercise
704
00:28:44,799 --> 00:28:51,440
entirely well if we map I mean there are
705
00:28:47,720 --> 00:28:53,880
parts that can be mappable and um
706
00:28:51,440 --> 00:28:56,799
especially for areas like protect detect
707
00:28:53,880 --> 00:29:00,080
respond that can even be easily mappable
708
00:28:56,799 --> 00:29:03,200
because they are sort of like less wider
709
00:29:00,080 --> 00:29:05,440
in scope but there are also areas that
710
00:29:03,200 --> 00:29:07,440
they are more nuanced when it comes to
711
00:29:05,440 --> 00:29:09,919
like how you interpret them and they
712
00:29:07,440 --> 00:29:13,000
they need to be always interpreted in
713
00:29:09,919 --> 00:29:15,279
the context of where you're coming from
714
00:29:13,000 --> 00:29:19,399
so I wouldn't say that they are fully
715
00:29:15,279 --> 00:29:21,039
mappable okay yeah proceed with care
716
00:29:19,399 --> 00:29:22,720
because as soon as you start doing that
717
00:29:21,039 --> 00:29:25,480
well now people are going to want to
718
00:29:22,720 --> 00:29:27,080
compare you to other companies and and
719
00:29:25,480 --> 00:29:30,279
things of that sort so if you're going
720
00:29:27,080 --> 00:29:31,799
to make sure you've got a reason why and
721
00:29:30,279 --> 00:29:35,559
understand that there are limitations
722
00:29:31,799 --> 00:29:38,679
there so proceed carefully you may
723
00:29:35,559 --> 00:29:41,000
create your own problems uh especially
724
00:29:38,679 --> 00:29:43,559
if that 12% of the board goes oh so
725
00:29:41,000 --> 00:29:44,720
you've mapped it to let's compare who
726
00:29:43,559 --> 00:29:47,000
wait a second that's not what it's
727
00:29:44,720 --> 00:29:48,880
intended for right so be very clear you
728
00:29:47,000 --> 00:29:50,240
add the implementation tier numbering on
729
00:29:48,880 --> 00:29:52,600
top of that and then you really have
730
00:29:50,240 --> 00:29:55,320
problems oh yeah it compounds it yeah
731
00:29:52,600 --> 00:29:57,120
Okay so we've talked about board members
732
00:29:55,320 --> 00:29:59,120
uh stakeholders like that but what about
733
00:29:57,120 --> 00:30:01,559
the The Wider organization business in
734
00:29:59,120 --> 00:30:03,360
general sure board members as well do we
735
00:30:01,559 --> 00:30:05,880
think that a framework like this will
736
00:30:03,360 --> 00:30:09,080
help a better understanding and and sort
737
00:30:05,880 --> 00:30:11,159
of a better grasp on the cyber security
738
00:30:09,080 --> 00:30:13,840
risks I would say that when it
739
00:30:11,159 --> 00:30:16,720
especially when it comes to um technical
740
00:30:13,840 --> 00:30:20,600
teams or technical leaders I mean this
741
00:30:16,720 --> 00:30:22,480
is a very good framework that is almost
742
00:30:20,600 --> 00:30:24,360
prescriptive because I mean they would
743
00:30:22,480 --> 00:30:26,399
see this as like okay we have this we
744
00:30:24,360 --> 00:30:28,279
have this we don't have this do we need
745
00:30:26,399 --> 00:30:31,000
this so that that becomes like kind of
746
00:30:28,279 --> 00:30:33,440
like a very easy conversation and there
747
00:30:31,000 --> 00:30:35,480
are also areas there um for instance
748
00:30:33,440 --> 00:30:37,559
related to the re human resources that
749
00:30:35,480 --> 00:30:40,240
are sort of like very specific and
750
00:30:37,559 --> 00:30:43,519
showing a specific area in the
751
00:30:40,240 --> 00:30:46,399
organization so it definitely helps for
752
00:30:43,519 --> 00:30:48,640
conversation but then when you start
753
00:30:46,399 --> 00:30:51,000
dissecting and Diving deeper into the
754
00:30:48,640 --> 00:30:53,760
individual subcategories it could
755
00:30:51,000 --> 00:30:56,519
potentially be confusing as well so it's
756
00:30:53,760 --> 00:30:57,880
good to be careful depending on who is
757
00:30:56,519 --> 00:30:59,639
the audience
758
00:30:57,880 --> 00:31:02,200
that you're having conversations with on
759
00:30:59,639 --> 00:31:03,799
this one yeah I would say it's a good
760
00:31:02,200 --> 00:31:08,399
conversation
761
00:31:03,799 --> 00:31:11,600
starter um but every company is going to
762
00:31:08,399 --> 00:31:13,720
interpret it differently so under the
763
00:31:11,600 --> 00:31:15,360
data security area right it's going to
764
00:31:13,720 --> 00:31:17,760
say something to the effect of one of
765
00:31:15,360 --> 00:31:19,559
the areas sub areas it'll say um you
766
00:31:17,760 --> 00:31:22,840
know make sure you've got a risk
767
00:31:19,559 --> 00:31:26,399
assessment for your sensitive
768
00:31:22,840 --> 00:31:28,639
data okay and one company may go yes
769
00:31:26,399 --> 00:31:30,039
we've got AIS R assessment process right
770
00:31:28,639 --> 00:31:32,960
yeah in fact you may have two companies
771
00:31:30,039 --> 00:31:35,519
let's say that both say yes we've got a
772
00:31:32,960 --> 00:31:38,480
risk assessment process and the first
773
00:31:35,519 --> 00:31:40,200
company might have a professional
774
00:31:38,480 --> 00:31:42,360
analyst that's looking at this and all
775
00:31:40,200 --> 00:31:45,799
these factors and doing qual to Quant
776
00:31:42,360 --> 00:31:47,960
and graphs and and awesome super
777
00:31:45,799 --> 00:31:50,000
detailed and they've checked yes we do
778
00:31:47,960 --> 00:31:51,880
it well the other company Check Yes too
779
00:31:50,000 --> 00:31:54,120
what well we have a process we flip a
780
00:31:51,880 --> 00:31:58,000
coin it's a
781
00:31:54,120 --> 00:32:00,080
process well well those aren't equal so
782
00:31:58,000 --> 00:32:02,880
yes it's a conversation starter you both
783
00:32:00,080 --> 00:32:05,399
have a process now tell me what that is
784
00:32:02,880 --> 00:32:09,039
so I I guess the question then becomes
785
00:32:05,399 --> 00:32:10,960
does this framework lead us um does it
786
00:32:09,039 --> 00:32:13,320
align us closer to the industry best
787
00:32:10,960 --> 00:32:16,200
practices does it give us clearer sort
788
00:32:13,320 --> 00:32:16,200
of cyber security
789
00:32:16,600 --> 00:32:22,760
baselines I would say it helps us
790
00:32:20,480 --> 00:32:25,440
avoid some common
791
00:32:22,760 --> 00:32:27,840
mistakes right it doesn't guarantee your
792
00:32:25,440 --> 00:32:30,279
security right you can interpret this
793
00:32:27,840 --> 00:32:32,080
the way you want uh it doesn't mean
794
00:32:30,279 --> 00:32:33,440
you're going to be Best in Class it's
795
00:32:32,080 --> 00:32:37,559
not something that you would use to
796
00:32:33,440 --> 00:32:40,720
compare to another company per se but it
797
00:32:37,559 --> 00:32:42,880
helps you give more or receive more
798
00:32:40,720 --> 00:32:44,480
internal Insight on where you're at and
799
00:32:42,880 --> 00:32:46,320
how you're progressing over time because
800
00:32:44,480 --> 00:32:49,440
you're going to Define your goals using
801
00:32:46,320 --> 00:32:51,519
this tool and you'll be able to see your
802
00:32:49,440 --> 00:32:53,200
progress and that doesn't mean it's the
803
00:32:51,519 --> 00:32:55,200
same progress some other company's doing
804
00:32:53,200 --> 00:32:57,279
or the end goal may may be completely
805
00:32:55,200 --> 00:33:01,320
different but that's okay this is that
806
00:32:57,279 --> 00:33:03,159
internal view that you can use to manage
807
00:33:01,320 --> 00:33:04,679
yourself in the right direction so
808
00:33:03,159 --> 00:33:06,159
you've got your vectors you've got your
809
00:33:04,679 --> 00:33:08,480
goals and and you're going to try and
810
00:33:06,159 --> 00:33:12,000
get there building on top of what
811
00:33:08,480 --> 00:33:15,519
Matthew said as long as this tool is
812
00:33:12,000 --> 00:33:19,320
used not as a source of metrics on
813
00:33:15,519 --> 00:33:21,320
itself but a guidance that okay these
814
00:33:19,320 --> 00:33:24,120
are the areas that you need to take a
815
00:33:21,320 --> 00:33:26,480
look at but then the devil is still in
816
00:33:24,120 --> 00:33:28,200
the implementation details that okay how
817
00:33:26,480 --> 00:33:30,480
do you implement it I mean as Matthew
818
00:33:28,200 --> 00:33:33,480
mentioned if you flipped a coin in your
819
00:33:30,480 --> 00:33:36,000
implementation that is not something
820
00:33:33,480 --> 00:33:37,600
that you can really properly measure how
821
00:33:36,000 --> 00:33:40,559
how well you have improved your security
822
00:33:37,600 --> 00:33:43,120
posture for instance in that area but if
823
00:33:40,559 --> 00:33:45,679
you use this as a source of initial
824
00:33:43,120 --> 00:33:46,559
information and then honestly look at
825
00:33:45,679 --> 00:33:48,840
your
826
00:33:46,559 --> 00:33:50,559
organization later on in the context of
827
00:33:48,840 --> 00:33:52,279
okay how do I improve continuously the
828
00:33:50,559 --> 00:33:54,880
security posture in this area then yeah
829
00:33:52,279 --> 00:33:57,480
it can be very helpful
830
00:33:54,880 --> 00:34:00,279
okay is it intended to be or should it
831
00:33:57,480 --> 00:34:02,480
be used as an inventory of sort of uh
832
00:34:00,279 --> 00:34:04,320
what you've invested in and and sort of
833
00:34:02,480 --> 00:34:09,760
where there Still Remains work to be
834
00:34:04,320 --> 00:34:11,960
done well um it can definitely show the
835
00:34:09,760 --> 00:34:15,399
areas where you have invested something
836
00:34:11,960 --> 00:34:16,800
in yeah but it doesn't show areas that
837
00:34:15,399 --> 00:34:19,720
could potentially have bigger
838
00:34:16,800 --> 00:34:21,480
Investments versus others right because
839
00:34:19,720 --> 00:34:23,800
it could also be that for one
840
00:34:21,480 --> 00:34:26,000
subcategory you have multiple things
841
00:34:23,800 --> 00:34:28,440
underneath that contribute to that so
842
00:34:26,000 --> 00:34:30,440
for instance um like one subcategory in
843
00:34:28,440 --> 00:34:32,440
governance could mean that you have
844
00:34:30,440 --> 00:34:35,919
touch points across the different areas
845
00:34:32,440 --> 00:34:37,879
of the organization which is very Broad
846
00:34:35,919 --> 00:34:41,000
and it could take a while to implement
847
00:34:37,879 --> 00:34:43,520
and it could be continuously costly to
848
00:34:41,000 --> 00:34:46,520
govern but you have something for
849
00:34:43,520 --> 00:34:49,000
example in the recover area which is
850
00:34:46,520 --> 00:34:52,079
just like you take a box and that's
851
00:34:49,000 --> 00:34:53,879
pretty much done so it doesn't show the
852
00:34:52,079 --> 00:34:56,399
nuances of like this one has bigger
853
00:34:53,879 --> 00:34:58,040
investment versus the others but it will
854
00:34:56,399 --> 00:35:00,440
show a areas that for example you
855
00:34:58,040 --> 00:35:01,880
haven't really spent anything on this
856
00:35:00,440 --> 00:35:04,960
area versus
857
00:35:01,880 --> 00:35:07,680
another yeah it doesn't necessarily
858
00:35:04,960 --> 00:35:09,520
translate to the
859
00:35:07,680 --> 00:35:11,920
meaningfulness of the controls that
860
00:35:09,520 --> 00:35:13,960
you're putting in place it's more of
861
00:35:11,920 --> 00:35:16,640
these are the areas I want to work on
862
00:35:13,960 --> 00:35:18,200
and I'm going to track that it's you
863
00:35:16,640 --> 00:35:20,280
know and I know we're going to get to to
864
00:35:18,200 --> 00:35:23,200
potentially some of the weaknesses but
865
00:35:20,280 --> 00:35:26,880
it doesn't necessarily guarantee that
866
00:35:23,200 --> 00:35:29,240
you're going to uh be optimally effici
867
00:35:26,880 --> 00:35:31,040
ient in your resource allocation to
868
00:35:29,240 --> 00:35:32,720
reduce the overall risk there's no
869
00:35:31,040 --> 00:35:34,280
guarantee there right that comes back to
870
00:35:32,720 --> 00:35:36,960
your original decision of what you want
871
00:35:34,280 --> 00:35:38,520
to invest in this is going to help you
872
00:35:36,960 --> 00:35:40,760
make sure you've got the the broader
873
00:35:38,520 --> 00:35:42,560
picture and go okay I see where I could
874
00:35:40,760 --> 00:35:44,520
invest now I'm going to make a decision
875
00:35:42,560 --> 00:35:47,240
where to invest and I can I can track
876
00:35:44,520 --> 00:35:49,280
that I got to take you up on your offer
877
00:35:47,240 --> 00:35:51,200
of of weaknesses I was sort of trying to
878
00:35:49,280 --> 00:35:53,160
cover those in the beginning and then
879
00:35:51,200 --> 00:35:55,000
move on to the positives but was there
880
00:35:53,160 --> 00:35:56,920
something you felt that was left unset
881
00:35:55,000 --> 00:35:59,480
something a major weakness that you
882
00:35:56,920 --> 00:36:01,440
still want to cover yeah but let's let's
883
00:35:59,480 --> 00:36:03,280
get it from Christine first cuz mine is
884
00:36:01,440 --> 00:36:07,839
it's a pet peeve and I'm going to rant
885
00:36:03,280 --> 00:36:10,079
on it wow okay well okay um concerns
886
00:36:07,839 --> 00:36:13,520
maybe one concern because I I am a big
887
00:36:10,079 --> 00:36:15,400
fan of secure by Design and in saying
888
00:36:13,520 --> 00:36:17,359
that it's not just about building
889
00:36:15,400 --> 00:36:19,800
Technologies but the organization in
890
00:36:17,359 --> 00:36:21,359
general that as a cyber security
891
00:36:19,800 --> 00:36:23,640
function we we are not really
892
00:36:21,359 --> 00:36:27,640
sustainable and we do not scale if we
893
00:36:23,640 --> 00:36:30,240
are only an overlay for the organization
894
00:36:27,640 --> 00:36:32,400
and there is a tendency to take a look
895
00:36:30,240 --> 00:36:34,480
at the framework carry it as a cyber
896
00:36:32,400 --> 00:36:35,440
security function and then implement it
897
00:36:34,480 --> 00:36:38,200
for the
898
00:36:35,440 --> 00:36:41,680
organization and then just govern it
899
00:36:38,200 --> 00:36:43,880
from the ciso office for instance uh
900
00:36:41,680 --> 00:36:46,480
there is one area here I mentioned Human
901
00:36:43,880 --> 00:36:48,839
Resources earlier and um this is one
902
00:36:46,480 --> 00:36:51,359
area where it touches other functions in
903
00:36:48,839 --> 00:36:53,240
the organization but to to be honest I
904
00:36:51,359 --> 00:36:56,240
would have loved to see a little bit
905
00:36:53,240 --> 00:36:58,400
more of this that the other areas of the
906
00:36:56,240 --> 00:37:02,400
organization ation what does cyber
907
00:36:58,400 --> 00:37:03,920
security mean for them um can we embed
908
00:37:02,400 --> 00:37:06,480
that because for instance I mean there's
909
00:37:03,920 --> 00:37:08,240
finance and of course there's a lot of
910
00:37:06,480 --> 00:37:10,520
cyber security related threats when it
911
00:37:08,240 --> 00:37:12,880
comes to finance maybe it should be
912
00:37:10,520 --> 00:37:16,040
there as well um maybe sales should be
913
00:37:12,880 --> 00:37:19,079
there as well Etc so I think that's one
914
00:37:16,040 --> 00:37:21,760
area that for future versions I would
915
00:37:19,079 --> 00:37:24,440
wish could be a little bit more visible
916
00:37:21,760 --> 00:37:27,200
okay Matthew you have your rant lined up
917
00:37:24,440 --> 00:37:28,760
see she's very diplomatic about this
918
00:37:27,200 --> 00:37:31,920
I'm less
919
00:37:28,760 --> 00:37:34,400
diplomatic um
920
00:37:31,920 --> 00:37:36,800
and so I did get feedback on the
921
00:37:34,400 --> 00:37:38,920
original you know the the original 1.0
922
00:37:36,800 --> 00:37:42,720
CSF and I've given feedback on one one
923
00:37:38,920 --> 00:37:45,800
and and and 20 the biggest area where I
924
00:37:42,720 --> 00:37:48,200
see there is a blind spot
925
00:37:45,800 --> 00:37:51,400
is well it goes back to this is a
926
00:37:48,200 --> 00:37:54,240
reflection of your internal security and
927
00:37:51,400 --> 00:37:57,400
yet so much of what we deal with so much
928
00:37:54,240 --> 00:37:58,920
of our industry is driven by
929
00:37:57,400 --> 00:38:01,720
the intelligent adversaries that we have
930
00:37:58,920 --> 00:38:05,599
to deal with there is very little in
931
00:38:01,720 --> 00:38:07,400
this framework that talks about that
932
00:38:05,599 --> 00:38:12,200
that focuses on
933
00:38:07,400 --> 00:38:15,000
that so by Design it's simply looking
934
00:38:12,200 --> 00:38:16,960
inwards at your internal controls at
935
00:38:15,000 --> 00:38:19,280
what Security Programs you have and
936
00:38:16,960 --> 00:38:21,160
things of that sort and to me that's
937
00:38:19,280 --> 00:38:23,880
only half of the picture that we
938
00:38:21,160 --> 00:38:25,760
actually have to deal with right and you
939
00:38:23,880 --> 00:38:28,240
know the example and and we've talked
940
00:38:25,760 --> 00:38:31,319
about this before right if you um are
941
00:38:28,240 --> 00:38:33,520
managing a a football team right you can
942
00:38:31,319 --> 00:38:35,240
look at your players and you can see
943
00:38:33,520 --> 00:38:36,839
well you know who's good players and
944
00:38:35,240 --> 00:38:39,160
what are good plays and where are
945
00:38:36,839 --> 00:38:41,319
strengths where are weaknesses and you
946
00:38:39,160 --> 00:38:42,560
may even for that championship game look
947
00:38:41,319 --> 00:38:45,000
at well what's the condition of the
948
00:38:42,560 --> 00:38:46,680
field is it muddy is it wet is it cold
949
00:38:45,000 --> 00:38:48,800
but if that's all you're looking at
950
00:38:46,680 --> 00:38:51,680
you're probably missing out at one of
951
00:38:48,800 --> 00:38:54,440
the most important factors who are you
952
00:38:51,680 --> 00:38:57,480
playing against what are their strengths
953
00:38:54,440 --> 00:39:01,119
what are their go-to plays and so if
954
00:38:57,480 --> 00:39:03,640
we're going to create a cyber security
955
00:39:01,119 --> 00:39:07,480
framework it really should have a
956
00:39:03,640 --> 00:39:09,160
significant amount of focus on
957
00:39:07,480 --> 00:39:11,960
understanding and guiding security
958
00:39:09,160 --> 00:39:13,720
leadership to understand that adversary
959
00:39:11,960 --> 00:39:15,720
and having one or two lines in there
960
00:39:13,720 --> 00:39:17,560
that says yeah do a risk assessment on
961
00:39:15,720 --> 00:39:20,640
your threats there's some that's it
962
00:39:17,560 --> 00:39:25,319
cyber threat intelligence that's all no
963
00:39:20,640 --> 00:39:27,280
out of all of this you know so I don't
964
00:39:25,319 --> 00:39:29,000
think that
965
00:39:27,280 --> 00:39:32,800
I I think it's missing and I'm hoping
966
00:39:29,000 --> 00:39:36,040
when we get to 2.1 or 3.0 there's more
967
00:39:32,800 --> 00:39:38,520
emphasis in there I think right now it's
968
00:39:36,040 --> 00:39:42,560
currently it currently resonates and
969
00:39:38,520 --> 00:39:44,800
caters to those technology oriented type
970
00:39:42,560 --> 00:39:47,319
of cesos that are really focused on
971
00:39:44,800 --> 00:39:49,960
internal controls and that means the
972
00:39:47,319 --> 00:39:52,880
discussion that they have is about
973
00:39:49,960 --> 00:39:55,400
internal controls and not necessarily
974
00:39:52,880 --> 00:39:57,800
about the actual picture we need to deal
975
00:39:55,400 --> 00:40:00,760
with I want to challenge you a little
976
00:39:57,800 --> 00:40:02,480
bit on that because um you know for the
977
00:40:00,760 --> 00:40:06,119
majority of the companies out there
978
00:40:02,480 --> 00:40:08,000
their sort of main threat is the Badness
979
00:40:06,119 --> 00:40:09,800
out there like any kind of Badness they
980
00:40:08,000 --> 00:40:13,920
don't want any of it and they don't have
981
00:40:09,800 --> 00:40:15,400
a very detailed attacker sort of profile
982
00:40:13,920 --> 00:40:17,680
that you know they're not worried about
983
00:40:15,400 --> 00:40:19,599
the the state sponsored actors stuff
984
00:40:17,680 --> 00:40:21,839
like that they just you know the
985
00:40:19,599 --> 00:40:23,359
ransomware business email compromise
986
00:40:21,839 --> 00:40:26,400
these basic things that are hitting them
987
00:40:23,359 --> 00:40:28,800
so you know um since they're going to be
988
00:40:26,400 --> 00:40:31,480
more or less the same for everyone and
989
00:40:28,800 --> 00:40:33,440
and for the ones that they're not the
990
00:40:31,480 --> 00:40:35,040
same they these guys probably you know
991
00:40:33,440 --> 00:40:37,720
know who they are and know what their
992
00:40:35,040 --> 00:40:40,079
threat model looks like you know what's
993
00:40:37,720 --> 00:40:44,240
the benefit of of why don't we just put
994
00:40:40,079 --> 00:40:45,720
boilerplate in it so if you don't narrow
995
00:40:44,240 --> 00:40:47,240
down who your attackers are and again
996
00:40:45,720 --> 00:40:48,400
this was created for critical
997
00:40:47,240 --> 00:40:50,319
infrastructure which means you have to
998
00:40:48,400 --> 00:40:52,359
worry about nation states but you also
999
00:40:50,319 --> 00:40:55,119
have to worry about data Miners and
1000
00:40:52,359 --> 00:40:58,319
cyber criminals and internal threats
1001
00:40:55,119 --> 00:40:58,319
disgruntled employees
1002
00:41:03,319 --> 00:41:10,160
may I can start narrowing it down if I
1003
00:41:06,359 --> 00:41:12,960
don't narrow that down what it means is
1004
00:41:10,160 --> 00:41:14,640
I will have the emotional feel that I
1005
00:41:12,960 --> 00:41:16,920
have to protect against everything
1006
00:41:14,640 --> 00:41:18,319
everything yeah okay what Frederick the
1007
00:41:16,920 --> 00:41:19,760
great right you try and protect
1008
00:41:18,319 --> 00:41:23,240
everything essentially you protect
1009
00:41:19,760 --> 00:41:25,560
nothing right and so if you can't narrow
1010
00:41:23,240 --> 00:41:28,040
that down you're going to try and spread
1011
00:41:25,560 --> 00:41:32,280
out your resources is too thin you will
1012
00:41:28,040 --> 00:41:34,960
never be successful you have to align
1013
00:41:32,280 --> 00:41:37,480
your efforts and resources where the
1014
00:41:34,960 --> 00:41:39,760
most important threats are the most
1015
00:41:37,480 --> 00:41:41,560
likely attacks are that's where you want
1016
00:41:39,760 --> 00:41:44,960
to wait your
1017
00:41:41,560 --> 00:41:46,880
defenses right this isn't an IT problem
1018
00:41:44,960 --> 00:41:49,040
where I need everything up and running
1019
00:41:46,880 --> 00:41:51,319
the same and and everything is going to
1020
00:41:49,040 --> 00:41:53,680
be equal this is more of a Warfare
1021
00:41:51,319 --> 00:41:55,160
combat problem where you need to wait
1022
00:41:53,680 --> 00:41:57,160
against your front line know where the
1023
00:41:55,160 --> 00:42:00,319
enemy's coming in know yourself know
1024
00:41:57,160 --> 00:42:01,640
your enemy right sunu but if you're only
1025
00:42:00,319 --> 00:42:04,200
knowing
1026
00:42:01,640 --> 00:42:06,119
yourself you're not going to win that's
1027
00:42:04,200 --> 00:42:09,440
why sunu said know yourself and know
1028
00:42:06,119 --> 00:42:12,000
your enemy yeah and right now the
1029
00:42:09,440 --> 00:42:15,240
framework it doesn't focus on knowing
1030
00:42:12,000 --> 00:42:17,839
your enemy yeah and this is also why
1031
00:42:15,240 --> 00:42:20,599
security is not really necessarily equal
1032
00:42:17,839 --> 00:42:22,880
to cyber compliance because like with
1033
00:42:20,599 --> 00:42:25,480
compliance you can check all of these
1034
00:42:22,880 --> 00:42:28,000
marks but since you have spread yourself
1035
00:42:25,480 --> 00:42:29,680
so thin yeah there are areas that the
1036
00:42:28,000 --> 00:42:31,240
attackers could get through and maybe
1037
00:42:29,680 --> 00:42:32,559
those are really the only areas that
1038
00:42:31,240 --> 00:42:34,839
they're interested at in your
1039
00:42:32,559 --> 00:42:38,160
organization yeah but nonetheless you
1040
00:42:34,839 --> 00:42:40,280
didn't spend enough of your cyber
1041
00:42:38,160 --> 00:42:42,520
security budget in making sure that this
1042
00:42:40,280 --> 00:42:44,079
attack path like this area is actually
1043
00:42:42,520 --> 00:42:46,400
the one that's a little bit more secure
1044
00:42:44,079 --> 00:42:47,960
versus the others that makes sense very
1045
00:42:46,400 --> 00:42:49,880
much so all right I'm I'm going to have
1046
00:42:47,960 --> 00:42:51,920
to move us ahead to the the questions
1047
00:42:49,880 --> 00:42:54,960
and answers section so that we have time
1048
00:42:51,920 --> 00:42:57,720
for some audience questions still and uh
1049
00:42:54,960 --> 00:43:00,079
wow there are some good ones um how does
1050
00:42:57,720 --> 00:43:03,480
this fit with the predict prevent detect
1051
00:43:00,079 --> 00:43:05,559
respond model that we already use
1052
00:43:03,480 --> 00:43:08,680
successfully well I would map I
1053
00:43:05,559 --> 00:43:13,359
typically map predict to identify but I
1054
00:43:08,680 --> 00:43:15,720
guess now identify and govern sort of oh
1055
00:43:13,359 --> 00:43:17,720
this is going to be fun but yeah that
1056
00:43:15,720 --> 00:43:20,880
that's how I typically would map it so
1057
00:43:17,720 --> 00:43:23,400
predict to identify and now just govern
1058
00:43:20,880 --> 00:43:26,800
is kind of like the encompassing
1059
00:43:23,400 --> 00:43:27,880
thing behind the initial five functions
1060
00:43:26,800 --> 00:43:29,599
I don't know what's your take on this
1061
00:43:27,880 --> 00:43:31,800
I'm going to go back to my rant and say
1062
00:43:29,599 --> 00:43:34,480
it doesn't really look at that
1063
00:43:31,800 --> 00:43:36,559
prediction right it's not designed to
1064
00:43:34,480 --> 00:43:38,599
put Focus or to drive conversations
1065
00:43:36,559 --> 00:43:40,319
around that prediction of who my enemy
1066
00:43:38,599 --> 00:43:42,240
is what are the most likely methods that
1067
00:43:40,319 --> 00:43:44,440
they're going to use what is the most
1068
00:43:42,240 --> 00:43:46,920
likely attacks and how should I weight
1069
00:43:44,440 --> 00:43:48,960
my defenses towards it so again I think
1070
00:43:46,920 --> 00:43:51,240
it does great on the you know how we're
1071
00:43:48,960 --> 00:43:54,520
going to prevent and detect and and
1072
00:43:51,240 --> 00:43:58,640
respond to it but it's that's a blind
1073
00:43:54,520 --> 00:44:01,160
spot right there and maybe 2.1 3.0 when
1074
00:43:58,640 --> 00:44:05,319
we get there we'll have better
1075
00:44:01,160 --> 00:44:07,079
conversations okay um there are some SOS
1076
00:44:05,319 --> 00:44:09,000
out there certainly feeling the pain
1077
00:44:07,079 --> 00:44:12,160
because I'm getting very typical siso
1078
00:44:09,000 --> 00:44:14,280
questions here and uh for example what
1079
00:44:12,160 --> 00:44:16,720
areas of this framework are things that
1080
00:44:14,280 --> 00:44:20,520
I could potentially Outsource to manage
1081
00:44:16,720 --> 00:44:23,400
service providers oh I
1082
00:44:20,520 --> 00:44:26,240
mean that to be honest I mean the my
1083
00:44:23,400 --> 00:44:28,400
take is like the technical areas are
1084
00:44:26,240 --> 00:44:31,000
easier to Outsource right I wouldn't
1085
00:44:28,400 --> 00:44:34,640
Outsource govern identify and recover
1086
00:44:31,000 --> 00:44:36,720
that's like all on you um but I wouldn't
1087
00:44:34,640 --> 00:44:40,400
completely Outsource the other functions
1088
00:44:36,720 --> 00:44:42,599
as well like remember if you need to be
1089
00:44:40,400 --> 00:44:45,000
in control of your cyber security
1090
00:44:42,599 --> 00:44:47,800
Destiny in your organization and
1091
00:44:45,000 --> 00:44:49,440
therefore you can Outsource some but you
1092
00:44:47,800 --> 00:44:51,280
need to have touch points like you need
1093
00:44:49,440 --> 00:44:54,319
to have conversations with your managed
1094
00:44:51,280 --> 00:44:56,440
security service provider how do I look
1095
00:44:54,319 --> 00:44:58,680
like now versus before but obviously
1096
00:44:56,440 --> 00:45:01,240
there are some there that can be quite
1097
00:44:58,680 --> 00:45:02,319
prescriptive for them to deliver for you
1098
00:45:01,240 --> 00:45:06,000
yeah what about you Matthew would you
1099
00:45:02,319 --> 00:45:08,520
run this as an external project um okay
1100
00:45:06,000 --> 00:45:10,040
so from and and again I'm I'm just going
1101
00:45:08,520 --> 00:45:12,760
to build on what Christine said if it's
1102
00:45:10,040 --> 00:45:16,480
a leadership decision on what you should
1103
00:45:12,760 --> 00:45:17,920
work on um you know your goals your
1104
00:45:16,480 --> 00:45:20,319
cyber security goals which you
1105
00:45:17,920 --> 00:45:22,319
absolutely have to have right that
1106
00:45:20,319 --> 00:45:23,839
should stay in house that's something
1107
00:45:22,319 --> 00:45:25,079
that some third party vendor they don't
1108
00:45:23,839 --> 00:45:27,960
know your company they don't know your
1109
00:45:25,079 --> 00:45:29,839
Market they don't know how you know
1110
00:45:27,960 --> 00:45:31,960
you're shifting and bending and and your
1111
00:45:29,839 --> 00:45:35,000
business goals there so that needs to
1112
00:45:31,960 --> 00:45:38,520
stay in house if there are certain
1113
00:45:35,000 --> 00:45:41,040
projects yes if there's certain
1114
00:45:38,520 --> 00:45:42,359
Specialties that you don't have in house
1115
00:45:41,040 --> 00:45:44,280
so you know we talked about the risk
1116
00:45:42,359 --> 00:45:47,000
assessment anybody can put a put to get
1117
00:45:44,280 --> 00:45:48,480
Implement a flip a coin risk assessment
1118
00:45:47,000 --> 00:45:50,440
uh if you want something more than that
1119
00:45:48,480 --> 00:45:52,559
if you want something top-notch you're
1120
00:45:50,440 --> 00:45:55,040
probably going to have to go out to a
1121
00:45:52,559 --> 00:45:56,400
third-party vendor that knows really
1122
00:45:55,040 --> 00:45:58,440
what that is
1123
00:45:56,400 --> 00:46:01,280
you may not have Cloud security
1124
00:45:58,440 --> 00:46:02,160
Architects based on what you really need
1125
00:46:01,280 --> 00:46:04,520
you're probably going to have to
1126
00:46:02,160 --> 00:46:06,559
Outsource that technical right it's
1127
00:46:04,520 --> 00:46:09,400
technical um and that's that's a great
1128
00:46:06,559 --> 00:46:12,559
Outsourcing thing uh and you know
1129
00:46:09,400 --> 00:46:14,839
operations if you don't have an internal
1130
00:46:12,559 --> 00:46:16,880
sock then you probably should be
1131
00:46:14,839 --> 00:46:18,359
Outsourcing that to be able to filter
1132
00:46:16,880 --> 00:46:20,720
through all those so that you get good
1133
00:46:18,359 --> 00:46:23,359
alerting and then you can respond and
1134
00:46:20,720 --> 00:46:25,319
and recover to to situations so there
1135
00:46:23,359 --> 00:46:27,240
are opportunities but when it comes to
1136
00:46:25,319 --> 00:46:29,559
the Strate IC leadership and decision
1137
00:46:27,240 --> 00:46:31,440
space I think it has to stay in house
1138
00:46:29,559 --> 00:46:34,559
yeah you can't Outsource your problems
1139
00:46:31,440 --> 00:46:36,040
no you can't right okay so what about
1140
00:46:34,559 --> 00:46:37,760
some of the signals if if there's a
1141
00:46:36,040 --> 00:46:40,720
company out there who's already using
1142
00:46:37,760 --> 00:46:42,960
the version 1.1 um what are some of the
1143
00:46:40,720 --> 00:46:44,640
signals that it's time for them now to
1144
00:46:42,960 --> 00:46:47,480
move to
1145
00:46:44,640 --> 00:46:49,559
2.0 are there signals that it's time for
1146
00:46:47,480 --> 00:46:53,319
you to move to
1147
00:46:49,559 --> 00:46:55,559
2.0 well I mean if for example the
1148
00:46:53,319 --> 00:46:58,440
organization really wants to improve
1149
00:46:55,559 --> 00:47:01,760
their governance and they're struggling
1150
00:46:58,440 --> 00:47:03,520
for a place to start and to really tell
1151
00:47:01,760 --> 00:47:06,480
themselves afterwards and say that okay
1152
00:47:03,520 --> 00:47:08,480
we have governance in place Um this can
1153
00:47:06,480 --> 00:47:11,319
actually be quite helpful because it
1154
00:47:08,480 --> 00:47:13,040
shows you the different areas that you
1155
00:47:11,319 --> 00:47:16,000
need to take a look at and it gives you
1156
00:47:13,040 --> 00:47:19,160
a very good place to start so I think
1157
00:47:16,000 --> 00:47:20,880
from that perspective if 1.1 feels like
1158
00:47:19,160 --> 00:47:22,760
the governance is all over the place and
1159
00:47:20,880 --> 00:47:25,000
it is because it's sprinkled sprinkled
1160
00:47:22,760 --> 00:47:26,599
all over the different places then this
1161
00:47:25,000 --> 00:47:28,280
could be very helpful like to move
1162
00:47:26,599 --> 00:47:31,119
towards this and make it a bit more
1163
00:47:28,280 --> 00:47:32,440
organized from that perspective yeah I
1164
00:47:31,119 --> 00:47:34,160
would say number one I would agree with
1165
00:47:32,440 --> 00:47:35,880
you number one is is the governance
1166
00:47:34,160 --> 00:47:38,160
spacee if you're not
1167
00:47:35,880 --> 00:47:40,119
currently uh feel comfortable and you
1168
00:47:38,160 --> 00:47:42,760
you think that that's an area that need
1169
00:47:40,119 --> 00:47:45,000
needs more attention again that 12% of
1170
00:47:42,760 --> 00:47:47,440
the board already sees that new ring in
1171
00:47:45,000 --> 00:47:49,640
there and that's a great opportunity to
1172
00:47:47,440 --> 00:47:52,559
say hey we need more investment here we
1173
00:47:49,640 --> 00:47:55,920
need to reallocate our pre resources or
1174
00:47:52,559 --> 00:47:57,880
we need to make a goal about governance
1175
00:47:55,920 --> 00:48:00,559
uh another good one would be for third
1176
00:47:57,880 --> 00:48:02,599
party right in the original and in 1.
1177
00:48:00,559 --> 00:48:05,400
one you don't talk a whole lot about
1178
00:48:02,599 --> 00:48:08,359
third party risks it's inferred there
1179
00:48:05,400 --> 00:48:10,680
but with 2.0 there's much more emphasis
1180
00:48:08,359 --> 00:48:13,920
on that so again if that's a weak spot
1181
00:48:10,680 --> 00:48:15,640
for you yeah move to the version 2.0
1182
00:48:13,920 --> 00:48:17,880
because it's calling it out it's
1183
00:48:15,640 --> 00:48:19,680
something you can point to and when
1184
00:48:17,880 --> 00:48:21,720
there's discussions at whatever level
1185
00:48:19,680 --> 00:48:24,280
whether it's the board or SE Suite or or
1186
00:48:21,720 --> 00:48:26,920
functional line managers or whomever you
1187
00:48:24,280 --> 00:48:29,040
can pull out a recognize standard and
1188
00:48:26,920 --> 00:48:31,960
see where it actually says third party
1189
00:48:29,040 --> 00:48:34,680
risk okay great it's not just the
1190
00:48:31,960 --> 00:48:36,880
security person is crazy or paranoid you
1191
00:48:34,680 --> 00:48:39,640
actually have some justification that
1192
00:48:36,880 --> 00:48:41,359
you can point to very easily okay what
1193
00:48:39,640 --> 00:48:44,319
about the other side are there any sort
1194
00:48:41,359 --> 00:48:46,880
of warning signs or uh signals that this
1195
00:48:44,319 --> 00:48:49,280
might not be for you version 2.0 or just
1196
00:48:46,880 --> 00:48:51,200
like the framework in general like it
1197
00:48:49,280 --> 00:48:53,440
might be too heavy for your organization
1198
00:48:51,200 --> 00:48:54,240
or anything like that like how how can
1199
00:48:53,440 --> 00:48:57,240
you
1200
00:48:54,240 --> 00:49:00,520
tell I mean for example if if version
1201
00:48:57,240 --> 00:49:03,599
1.1 is working for your organization
1202
00:49:00,520 --> 00:49:04,640
just fine and if you believe that you
1203
00:49:03,599 --> 00:49:06,680
already have the right kind of
1204
00:49:04,640 --> 00:49:08,799
governances in place I mean for instance
1205
00:49:06,680 --> 00:49:11,280
many organizations already have ISO
1206
00:49:08,799 --> 00:49:15,200
27001 and then they have implemented
1207
00:49:11,280 --> 00:49:18,559
version 1.1 there is really no urgency
1208
00:49:15,200 --> 00:49:22,079
to say that okay now I need to go into
1209
00:49:18,559 --> 00:49:24,200
2.0 because it has come out so it needs
1210
00:49:22,079 --> 00:49:26,079
to go back into what does your
1211
00:49:24,200 --> 00:49:28,240
organization need I mean what does the
1212
00:49:26,079 --> 00:49:31,359
business need and if you feel like you
1213
00:49:28,240 --> 00:49:33,640
have some gaping holes then yes take a
1214
00:49:31,359 --> 00:49:35,559
look but if you don't then maybe this is
1215
00:49:33,640 --> 00:49:37,640
not yet the time to take a look at it
1216
00:49:35,559 --> 00:49:39,680
because as Matthew mentioned earlier
1217
00:49:37,640 --> 00:49:41,559
this is an investment not just for the
1218
00:49:39,680 --> 00:49:45,240
ceso function but actually for the rest
1219
00:49:41,559 --> 00:49:46,640
of the organization as well yeah I don't
1220
00:49:45,240 --> 00:49:48,720
have anything more to add to that right
1221
00:49:46,640 --> 00:49:49,960
if if your current security is good
1222
00:49:48,720 --> 00:49:51,240
you're comfortable it's getting you in
1223
00:49:49,960 --> 00:49:53,720
the right direction you're internally
1224
00:49:51,240 --> 00:49:56,480
managing it already with priorities you
1225
00:49:53,720 --> 00:49:58,920
like why would you expend energy why
1226
00:49:56,480 --> 00:50:02,000
would you take away momentum from that
1227
00:49:58,920 --> 00:50:04,880
to implement something something else
1228
00:50:02,000 --> 00:50:07,480
are there any sort of um obligations or
1229
00:50:04,880 --> 00:50:09,520
rules in this that like now that you're
1230
00:50:07,480 --> 00:50:13,520
following this framework you got to have
1231
00:50:09,520 --> 00:50:17,040
20 24x7 monitoring or anything like that
1232
00:50:13,520 --> 00:50:20,359
no no so it's just more of just like an
1233
00:50:17,040 --> 00:50:22,280
assessment how you're doing okay um um
1234
00:50:20,359 --> 00:50:24,280
what's the level of integration between
1235
00:50:22,280 --> 00:50:27,319
the cyber security framework version two
1236
00:50:24,280 --> 00:50:29,520
and socks if any
1237
00:50:27,319 --> 00:50:32,599
I am not familiar actually I'm level of
1238
00:50:29,520 --> 00:50:35,440
sock sock 2 sock 2 yeah sock 2 type two
1239
00:50:32,599 --> 00:50:37,559
yeah or even sock two type one I mean
1240
00:50:35,440 --> 00:50:40,960
there are different
1241
00:50:37,559 --> 00:50:44,000
areas that map out but I don't I haven't
1242
00:50:40,960 --> 00:50:47,200
really looked at sock 2 in parallel with
1243
00:50:44,000 --> 00:50:49,200
um NIS 2 yet so I don't know if you have
1244
00:50:47,200 --> 00:50:52,240
Matthew so there is a difference it's
1245
00:50:49,200 --> 00:50:54,960
more sock 2 or or ISO certifications
1246
00:50:52,240 --> 00:50:57,319
it's much more prescriptive so there are
1247
00:50:54,960 --> 00:50:59,520
specific areas they're looking at you
1248
00:50:57,319 --> 00:51:02,280
know do you have X policy do you have
1249
00:50:59,520 --> 00:51:03,640
this do you have that uh so when sock to
1250
00:51:02,280 --> 00:51:05,880
when they're supposed to come in and and
1251
00:51:03,640 --> 00:51:09,240
do this they will look more at the
1252
00:51:05,880 --> 00:51:12,760
details whereas the NSF is your
1253
00:51:09,240 --> 00:51:14,599
opportunity to decide what you need um
1254
00:51:12,760 --> 00:51:16,480
and you may not need certain things or
1255
00:51:14,599 --> 00:51:18,760
you may need oh I do need this policy
1256
00:51:16,480 --> 00:51:21,040
but I need much more indepth I need to
1257
00:51:18,760 --> 00:51:23,000
be very more specific in what procedures
1258
00:51:21,040 --> 00:51:26,160
or guidelines are going to be in there
1259
00:51:23,000 --> 00:51:29,000
so they are used for two different
1260
00:51:26,160 --> 00:51:32,520
things uh and it's important you may do
1261
00:51:29,000 --> 00:51:35,319
both you may do neither but understand
1262
00:51:32,520 --> 00:51:36,960
what the value is of those different um
1263
00:51:35,319 --> 00:51:40,960
you know tools these are different tools
1264
00:51:36,960 --> 00:51:43,440
in the toolbox and one is more for it's
1265
00:51:40,960 --> 00:51:45,480
Assurance to a third party right that's
1266
00:51:43,440 --> 00:51:48,240
what sock 2 is about it's Assurance to a
1267
00:51:45,480 --> 00:51:49,640
third party that certain basic controls
1268
00:51:48,240 --> 00:51:54,960
are in
1269
00:51:49,640 --> 00:51:57,079
place okay the nist CSF is not that it
1270
00:51:54,960 --> 00:51:59,440
just isn't right it's an internal tool
1271
00:51:57,079 --> 00:52:01,119
looking in the mirror saying this is
1272
00:51:59,440 --> 00:52:02,599
what we have this is where we want to go
1273
00:52:01,119 --> 00:52:05,240
and that gives us our Direction our
1274
00:52:02,599 --> 00:52:06,839
vectors and potentially some priorities
1275
00:52:05,240 --> 00:52:10,480
as part of the discussions we can now
1276
00:52:06,839 --> 00:52:12,480
have so they're different tools okay um
1277
00:52:10,480 --> 00:52:14,839
I can still tell that there is a lot of
1278
00:52:12,480 --> 00:52:16,720
uh sort of concern among our audience
1279
00:52:14,839 --> 00:52:18,280
about sort of is this something that I
1280
00:52:16,720 --> 00:52:19,680
should look into and something that I
1281
00:52:18,280 --> 00:52:21,599
should Implement in my
1282
00:52:19,680 --> 00:52:23,359
organization uh people are trying to
1283
00:52:21,599 --> 00:52:26,200
approach this from different directions
1284
00:52:23,359 --> 00:52:28,440
there's a question is there um a size of
1285
00:52:26,200 --> 00:52:31,079
an organization that is sort of The
1286
00:52:28,440 --> 00:52:34,040
Sweet Spot or a cut off point for this
1287
00:52:31,079 --> 00:52:35,799
like when do you when do you Embrace
1288
00:52:34,040 --> 00:52:38,000
this framework when do you sort of maybe
1289
00:52:35,799 --> 00:52:42,079
stay out of it a little bit I mean to be
1290
00:52:38,000 --> 00:52:44,200
honest it's General enough for anyone to
1291
00:52:42,079 --> 00:52:47,440
take a look any size of organization
1292
00:52:44,200 --> 00:52:51,640
yeah but I mean since this is not
1293
00:52:47,440 --> 00:52:53,799
externally validated by Auditors um then
1294
00:52:51,640 --> 00:52:56,359
it can be interpreted within that
1295
00:52:53,799 --> 00:52:57,960
organization's context as well so I mean
1296
00:52:56,359 --> 00:52:59,760
as Matthew mentioned especially if you
1297
00:52:57,960 --> 00:53:02,720
don't have any framework that you're
1298
00:52:59,760 --> 00:53:04,599
working with I mean why not take a look
1299
00:53:02,720 --> 00:53:06,839
at this because I mean there are things
1300
00:53:04,599 --> 00:53:08,640
that you don't need to reinvent anymore
1301
00:53:06,839 --> 00:53:13,720
there are things there that are already
1302
00:53:08,640 --> 00:53:16,559
laid out for you but if your goal is to
1303
00:53:13,720 --> 00:53:18,319
comply with every single thing it also
1304
00:53:16,559 --> 00:53:21,720
becomes a question of what for because
1305
00:53:18,319 --> 00:53:24,960
we we do sock to and we do ISO
1306
00:53:21,720 --> 00:53:25,960
27001 to show these things externally
1307
00:53:24,960 --> 00:53:28,400
and
1308
00:53:25,960 --> 00:53:30,440
this should actually become something
1309
00:53:28,400 --> 00:53:32,400
that is for you to take a look at where
1310
00:53:30,440 --> 00:53:34,520
are the weakest things so that you can
1311
00:53:32,400 --> 00:53:37,440
protect your organization so this is
1312
00:53:34,520 --> 00:53:39,280
really not for compliance sake right so
1313
00:53:37,440 --> 00:53:42,640
this is a tool for you to use and to
1314
00:53:39,280 --> 00:53:45,040
start with and it it needs to be viewed
1315
00:53:42,640 --> 00:53:46,280
differently as opposed to the externally
1316
00:53:45,040 --> 00:53:48,040
visible
1317
00:53:46,280 --> 00:53:50,200
certifications but but that's the thing
1318
00:53:48,040 --> 00:53:53,799
I mean we're talking about a subjective
1319
00:53:50,200 --> 00:53:56,280
internal look but it's also a guideline
1320
00:53:53,799 --> 00:53:59,079
that will become legisl at some point
1321
00:53:56,280 --> 00:54:01,920
how does that work yeah but you got to
1322
00:53:59,079 --> 00:54:04,119
get into the nuances right so if it does
1323
00:54:01,920 --> 00:54:08,520
go into legislation it'll be you should
1324
00:54:04,119 --> 00:54:11,240
be following the nist principles for it
1325
00:54:08,520 --> 00:54:13,359
won't be real prescriptive right like do
1326
00:54:11,240 --> 00:54:16,599
this or go to jail right but there there
1327
00:54:13,359 --> 00:54:18,720
may be there may be some areas right so
1328
00:54:16,599 --> 00:54:21,040
uh for example uh for a government
1329
00:54:18,720 --> 00:54:23,599
contract they may go okay follow the St
1330
00:54:21,040 --> 00:54:26,960
and we want the following controls in
1331
00:54:23,599 --> 00:54:28,839
place but overall all I would Advocate
1332
00:54:26,960 --> 00:54:31,400
that everybody whether you're going to
1333
00:54:28,839 --> 00:54:33,119
adopt it or not should at least read it
1334
00:54:31,400 --> 00:54:35,520
and understand it and for a couple of
1335
00:54:33,119 --> 00:54:37,559
reasons one just in reading it you may
1336
00:54:35,520 --> 00:54:39,960
realize there there's an area that you
1337
00:54:37,559 --> 00:54:41,920
had a blind spot in and go wow I didn't
1338
00:54:39,960 --> 00:54:43,720
think about that let me go incorporate
1339
00:54:41,920 --> 00:54:46,079
that maybe not in this framewor but let
1340
00:54:43,720 --> 00:54:49,280
me go incorporate into my program the
1341
00:54:46,079 --> 00:54:53,240
other aspect is even if you don't adopt
1342
00:54:49,280 --> 00:54:57,319
it your suppliers your vendors your
1343
00:54:53,240 --> 00:54:58,640
customers your competitors ERS May and
1344
00:54:57,319 --> 00:55:01,480
so when you're
1345
00:54:58,640 --> 00:55:03,640
communicating with or about them you
1346
00:55:01,480 --> 00:55:05,720
need to at least understand that
1347
00:55:03,640 --> 00:55:08,599
framework as you're having those
1348
00:55:05,720 --> 00:55:11,040
conversations so at least read it and
1349
00:55:08,599 --> 00:55:12,240
understand it and I have one prediction
1350
00:55:11,040 --> 00:55:14,200
on this one when you're talking about
1351
00:55:12,240 --> 00:55:16,359
the customers because I have a feeling
1352
00:55:14,200 --> 00:55:18,920
that this is going to become part of the
1353
00:55:16,359 --> 00:55:20,760
client due diligence questionnaires and
1354
00:55:18,920 --> 00:55:23,039
then it's going to this is like a copy
1355
00:55:20,760 --> 00:55:24,640
of um these two and then it's going to
1356
00:55:23,039 --> 00:55:26,400
have question marks at the end of like
1357
00:55:24,640 --> 00:55:30,280
different sub gers do you have this do
1358
00:55:26,400 --> 00:55:31,440
you have that and that will come it will
1359
00:55:30,280 --> 00:55:33,839
and you better understand what the
1360
00:55:31,440 --> 00:55:35,039
question is based on the framework and
1361
00:55:33,839 --> 00:55:37,359
then you're going to realize that okay
1362
00:55:35,039 --> 00:55:39,839
all of this is now coming from n 2 and
1363
00:55:37,359 --> 00:55:42,720
my customers want it then that becomes
1364
00:55:39,839 --> 00:55:44,960
kind of like a pressure point huh cuz
1365
00:55:42,720 --> 00:55:49,160
you know again we're talking about an a
1366
00:55:44,960 --> 00:55:51,640
tool for introspection and uh I guess
1367
00:55:49,160 --> 00:55:53,559
what I'm wondering is you know the cisos
1368
00:55:51,640 --> 00:55:56,319
who are implementing this framework are
1369
00:55:53,559 --> 00:55:58,400
going to have different agenda
1370
00:55:56,319 --> 00:56:00,680
now some might go into sort of just take
1371
00:55:58,400 --> 00:56:02,960
a look at where the organization is
1372
00:56:00,680 --> 00:56:05,760
concentrating on some might be going
1373
00:56:02,960 --> 00:56:07,960
into to justify spending some might be
1374
00:56:05,760 --> 00:56:10,280
going in because they feel that at some
1375
00:56:07,960 --> 00:56:12,319
point their clients are requiring that
1376
00:56:10,280 --> 00:56:14,920
is that going to mean a difference in
1377
00:56:12,319 --> 00:56:17,400
sort of how they approach the
1378
00:56:14,920 --> 00:56:20,119
framework it could potentially be
1379
00:56:17,400 --> 00:56:22,880
because I mean like with compliance when
1380
00:56:20,119 --> 00:56:25,480
you go into this framework as a
1381
00:56:22,880 --> 00:56:27,760
confirmation to your potential customers
1382
00:56:25,480 --> 00:56:30,920
or prospects that you have it it can
1383
00:56:27,760 --> 00:56:32,599
easily become a tick boox as well that
1384
00:56:30,920 --> 00:56:34,160
okay um I need to implement this because
1385
00:56:32,599 --> 00:56:35,720
it's for customers I have one
1386
00:56:34,160 --> 00:56:39,079
implementation even though it may be
1387
00:56:35,720 --> 00:56:42,280
flipping a coin thck so um there is a
1388
00:56:39,079 --> 00:56:43,760
tendency to treat it like that right and
1389
00:56:42,280 --> 00:56:45,760
that would be that would not be a very
1390
00:56:43,760 --> 00:56:47,520
good use for the framework yeah I think
1391
00:56:45,760 --> 00:56:50,400
it all comes back to the business goals
1392
00:56:47,520 --> 00:56:51,200
yeah right and once you understand what
1393
00:56:50,400 --> 00:56:54,359
those
1394
00:56:51,200 --> 00:56:56,000
are they can change too right so you may
1395
00:56:54,359 --> 00:56:58,280
have a certain set of cyber security
1396
00:56:56,000 --> 00:57:00,520
business goals that you're attuning to
1397
00:56:58,280 --> 00:57:02,680
and prioritizing and then all of a
1398
00:57:00,520 --> 00:57:05,319
sudden your customer base comes up and
1399
00:57:02,680 --> 00:57:07,039
says this is now important to us and in
1400
00:57:05,319 --> 00:57:09,359
order to be a competitive advantage in
1401
00:57:07,039 --> 00:57:11,200
order to actually get customers this is
1402
00:57:09,359 --> 00:57:13,440
now important well that's probably going
1403
00:57:11,200 --> 00:57:16,119
to change the corporate goals of what
1404
00:57:13,440 --> 00:57:17,920
cyber security is nowed so now being
1405
00:57:16,119 --> 00:57:19,599
compliant and having a story and
1406
00:57:17,920 --> 00:57:22,359
Publishing materials to show what we're
1407
00:57:19,599 --> 00:57:25,880
doing with this model now becomes one of
1408
00:57:22,359 --> 00:57:28,079
the cyber security goals okay
1409
00:57:25,880 --> 00:57:29,720
okay hey with that I want to thank you
1410
00:57:28,079 --> 00:57:31,440
Christine thank you Matthew for being
1411
00:57:29,720 --> 00:57:34,079
with us today and and thank you for our
1412
00:57:31,440 --> 00:57:35,880
audience for tuning in and uh providing
1413
00:57:34,079 --> 00:57:38,000
us engaging us with your excellent
1414
00:57:35,880 --> 00:57:41,480
questions thank you and and be sure to
1415
00:57:38,000 --> 00:57:41,480
check out our next webinar as
1416
00:57:48,039 --> 00:57:51,039
well
Our speakers
Matthew Rosenquist
CISO, Industry Cybersecurity Strategist, and Advisor
Chief Information Security Officer (CISO) for Eclipz, the former Cybersecurity Strategist for Intel Corp, and benefits from over 30+ diverse years in the fields of cyber, physical, and information security.
Matthew advises Boards and executive leadership of businesses, academia, and governments around the globe on cybersecurity best practices and emerging risks. He is very active in the industry - being a member of multiple advisory boards, an experienced
keynote speaker, publishing acclaimed articles, white papers, blogs, videos, and podcasts on a wide range of cybersecurity topics, and collaborating with partners to tackle pressing industry problems.
Christine Bejerasco
CISO, WithSecure
Christine Bejerasco has been steeped in cybersecurity for the past 19 years. She started her career when network worms were prevalent and has seen the threat landscape evolve alongside advancing technology, as well as changes in regulations and user behavior.
She has worked in various capacities – from analyzing threats and building protection capabilities to leading teams that have effectively delivered them. Before becoming CISO, Christine was WithSecure’s Chief Technology Officer. In this role, she was responsible for investigating the intersection between threats, technologies, and user behavior, to build more future-proof cybersecurity solutions. Today, as CISO, she is applying her experience in cybersecurity to ensure the organization is more resilient and better prepared to deal with cyber-attacks.
Janne Kauhanen
Cyber Host & Account Director, WithSecure
For the last decade as a cyber translator Janne has been helping WithSecure consulting clients find solutions for their information security issues, but he also occasionally transforms into the host of the Cyber Security Sauna podcast.
Watch latest webinars
Join our mailing list
Subcribe to our news and updates from WithSecure ans acquire valuable insights directly from our industry-leading professionals.