Monday, March 24, 2014

Review of Whitsitt's "B-side Cyber Security Framework" (Mapped to the Ten Dimensions)

My colleague Jack Whitsitt (@sintixerr) has proposed a B-side version of the NIST Cyber Security Framework (NIST CSF) in this blog post.  In this post I will give my comments on Jack's framework, and do so by mapping it to the Ten Dimensions.

The NIST CSF is a catalog of information security practices, organized into categories and maturity tiers. I've criticized the NIST-CSF here, here, and here, and proposed an alternative -- the Ten Dimensions.  Jack has posted commentary and critiques here, here and  here.  Jack has the advantage of participating in all five workshops, plus several side meetings with various players.

Here's a diagram of Jack's framework:

Short Summary

I like Jack's B-sides framework. I see a lot of overlap between it and my Ten Dimensions.  They aren't identical but the same themes come through in both. His has the advantage of simpler interpretation (top-down layer cake, half as many dimensions).  It has short-comings as well.  In it's current form, it lacks performance measurement and, in my opinion, as inadequate attention to "Effective Response, Recovery, & Resilience", "Effective External Engagement", "Optimize Cost of Risk", and organization learning loops.

Interpreting the Diagram

This framework diagram is meant to be read top to bottom, with the boxes ("components") on the top providing guidance, structure, and constraints for those below. Jack summarizes the framework this way:
The framework consists of 5-components that provide the “Model” elements that go into cybersecurity management at an organizational level:
  1. Business Consequence Framing
  2. External Threat Framing
  3. Business Vulnerability Introduction Assessment
  4. Business Quality Management
  5. Cyber Vector Control
Each of these components are co-dependent on each other in assuring that cybersecurity is effectively managed.  [emphasis added]
Notice that both Jack and I define our framework at an organization level, including all people, process, and technology aspects, even beyond what is normally managed by the Information Security team.

It appears to me that each of the "components" is a dimension of cyber security performance as I define "performance" here:
By "performance" I mean results that can accomplished that are (mostly) under defender's control, even in the face of a rapidly-evolving landscape of threats, technologies, and socio-economic-political conditions. While "outcomes" will be determined by the stochastic processes and strategic behavior of adversaries, I argue that "performance" can and should be the focus of management. "Performance" is not merely the sum of cyber security activities executed in an organization. ...
 "Cyber security performance" -- systematic improvements in an organization's dynamic posture or capabilities relative to its rapidly-changing and uncertain adversarial environment.
Jack doesn't use the word "performance" anywhere and he doesn't talk about measuring performance, so I may be mis-interpreting his components.  Here's how he defines "cyber security", and to my eyes, it seems aligned with my definition of "performance":
The vulnerabilities hackers exploit are created in the design, implementation, operation, or control of your business’s strategy, resource allocation, capability maturity, and value chain.  
Therefore, cybersecurity can be said to be “The management of all business decisions made by your organization in a way which will inhibit malicious actors from using technology to repurpose your infrastructure or value chain for their own ends.” [emphasis added]
He does say that making his five components operational is future work:
The Processes (including roles and responsibilities within an organization) by which these model components are executed and the Views in which the associated information is stored and made available to appropriate stakeholders will represent two critical, but future layers to this framework. [emphasis added]

Component 1: Business Consequence Framing 

Component 1 mapped to the Ten Dimensions (click to enlarge)

The first component sets executive-level goals, success metrics, and constraints for cyber security, embracing both the external environment (stakeholders) and the business objectives.  In terms of the Ten Dimensions, the goals touch on six of the ten dimensions but doesn't encompass all aspects of performance in any one of them.  Basically, this Component sets top level some objectives for each of the six dimensions, but doesn't define how to measure performance. "External Environment" help set objectives for Dimension 7. Effective External Engagement and Dimension 10. Accountability & Responsibility, while "Business Objectives" set objectives for Dimension 1. Optimize Exposure; Dimension 6. Response, Recovery & Resilience; Dimension 8. Agility & Learning; and Dimension 9. Total Cost of Risk.

Component 2: External Threat Framing

Component 2 mapped to the Ten Dimension (click to enlarge)

The second component maps directly to Dimension 2. Effective Threat Intelligence, but it seems to focus on the strategic aspect of threat intelligence.  The operational aspect of threat intelligence seems to be included in Component 5 Cyber Vector Control, below.  Otherwise, we seem to have similar definitions.  (He uses the word "external" but I assume he wouldn't exclude insider threat agents, including errors.)

Component 3: Business Vulnerability Introduction Assessment

Component 3 mapped to Ten Dimensions (click to enlarge)

Component 3 is perhaps the most important and insightful aspect of Jack's framework.  Read this post to get the full insights behind it.  Basically, Jack sees that many (most?) security vulnerabilities get introduced in the course of business (and IT) decision-making, which may or may not be taking information security into account.  He says:
True improvement in effectiveness and lowered costs will only come if the rest of the business manages decisions in a way that reduces the number of business and technological vulnerabilities that your security programs must account for. 
I heartily agree, and I think our two frameworks incorporate this, though in different ways.  Component 3 maps to Dimension 1. Optimize Exposure because so many business and IT decisions determine what information assets are or are not exposed to whom ("exposure" includes both legitimate access and vulnerabilities that can be exploited).  It also maps to Dimension 3. Effective Design & Development, which includes business processes, IT systems, and policies.

I could have also mapped Component 3 to Dimensions 4, 5, and 6, but I chose not to as a matter of interpretation.  Since the Ten Dimensions are performance dimensions, and Component 3 is focused on business decision-making, I believe that the best scope is Dimensions 1 and 3.

Component 4: Business Quality Management

Component 4 mapped to Ten Dimensions (click to enlarge)

Component 4 focuses on managing the "current state" of organization and IT systems and processes -- IT configurations and software patches, logs and data collection, and the state of human resources and processes (i.e. awareness, readiness, etc.).  This mostly maps to Dimension 5. Effective & Efficient Execution & Operations and also Dimension 4. Quality of Protection & Controls.  It's very interesting that both Jack and me focus attention on managing quality regarding configuration and controls.

Dimension 8. Effective Agility & Learning also is touched by Component 4, but only regarding metrics, it appears.  Finally, "Culture/Socialization" can be mapped to the non-governance aspects of Dimension 10. Accountability & Responsibility.

Component 5: Cyber Vector Control

Component 5 mapped to Ten Dimensions (click to enlarge)

Component 5 includes most of the day-to-day activities of information security teams.  As such, I'd map this primarily to Dimension 4. Quality of Protection & Controls.  The "Compliance/Audit" subcomponent maps to Dimension 10. Accountability & Responsibility.  Jack's placement of "Risk Management" here leads me to believe that he is thinking of it as "Little 'r' risk management" -- analysis of individual combinations of threats, vulnerabilities, and assets for tactical decision-making (e.g. vulnerability remediation).  Therefore, I'm mapping it to Dimension 2. Effective Threat Intelligence, rather than to Dimension 9. Total Cost of Risk, which is about "Big 'R' Risk Management".

I've left off Dimensions 5 and 6 because Jack doesn't explicitly call them out as sub-components, but this may be too narrow an interpretation of what he means by "Security Program".

Conclusion Part 1: Commonalities

Of the Ten Dimensions, these appear to be completely included in Jack's B-sides framework:
The other four dimensions are touched on, but in my opinion not fully included as performance dimensions.

At a conceptual level, the most important commonalities are:

  • Business decision-making, and the trade-offs involved, determine the preconditions of any security program, and they need to be managed as a separate category of performance.
  • Viewing protections, controls, and configurations as a quality management problem will be fruitful.
  • There are two learning loops -- one at the operational level and another on the strategic level.  Jack puts it this way:
Ultimately, this should be seen as the development of two risk management life-cycles: One which looks at long term threats to your organization resulting from vulnerabilities created by organizational decision making, and another which focuses on short term tactical threats to your infrastructure. These two risk management life cycles can then inform each other without replacing each other.
Even with these commonalities, I would not say that the two frameworks are synonymous.

Conclusion Part 2: Differences

The biggest difference is that the Ten Dimensions is explicitly defined as dimensions of performance, while the Components of Jack's B-side framework are more general and abstract -- perhaps they are best viewed as "functional domains".  In order to measure performance in any of these Components, we would need to see the Processes and Views that have not yet been added.

Of the Ten Dimensions, these appear to be not fully covered in Jack's B-sides framework:
Other than setting executive-level objectives, it appears that Jack's framework does not include any operational aspects of Dimension 6. Effective Response, Recovery, & Resilience.  This could easily be remedied by adding more subcomponents under his Components 3, 4, and 5.

Likewise, other than setting executive-level objectives, Dimension 7. Effective External Engagement is not included at all.  Fitting this into his five Components is not so easy because it really is it's own beast.  For one, it is not purely driven by business processes, workflows, and transactions.  It's heavily determined by relationships and trust.

I've dedicated a whole dimension to 8. Effective Learning & Agility because I think it needs special attention by managers, but it's not called out specifically in Jack's B-side framework.  That's not to say that Jack doesn't consider it.  On the contrary, he says learning and agility an essential feature to successful implementation of his framework:
Business leadership ... capability management, ... process and IT architecture,  operations, education and culture ... and classic “cybersecurity” must be paid equal attention and be tightly integrated.
A tight integration of these areas will not only reduce the overall number of vulnerabilities being introduced that are exploitable by hackers, but will also allow the organization to more effectively identify and pivot toward defending against new threats and attack vectors.  Without this overall business maturity, no threat data will ever be actionable  because there is simply too much area for your security teams and programs to cover.
He might be including these under his "Risk Management" subcomponent under Component 5.  But, I argue that it deserves its own performance dimension because it is under-appreciated and poorly managed today.

I have not defined a separate dimension called "Risk Management" because I think risks will be managed in the course of doing other dimensions well, namely 1, 2, and 4 for threat-vulnerability-asset combinations, and Dimension 9 for Big 'R' Risk Management.

Finally, Jack's B-side framework does not include the full "Big 'R' Risk Management" approach that is measured by Dimension 9. Optimize Cost of Risk, which is essentially a feedback process from the operational aspects of cyber security (Dimensions 1 through 6) back to the business objectives and constraints that Jack highlights in Component 1.

As a smaller matter, Jack's Component 3 "Business Vulnerability Introduction Assessment" would benefit if a "Governance" subcomponent were added to it.  Or maybe it's already in there under the "Strategy" row.  Either way, this would make the mapping to Dimension 10. Accountability & Responsibility more complete.

Closing Comments

I like Jack's B-sides framework.  The best thing about it is that it seems like we arrived at some common ideas from two very different starting places and different lines of reasoning.  Even with the commonality, I don't think they are synonymous or that one reduces to the other without losing something.  I continue to prefer and advocate the Ten Dimensions for all the original reasons, but maybe my opinion will change when I see the next revisions of Jack's framework.

A while back on Twitter, Jack said that we need a "crayon version" of the cyber security framework because anything more complicated with be too confusing for most stakeholders.  I sympathize with this, but I'm not in favor of a framework that is overly simple -- one that does violence to the subject matter.  Cyber security is complicated stuff to manage, and thus needs a framework that is appropriately rich without being Baroque.

No comments:

Post a Comment