The Fallacy of Security “Frameworks”

The Fallacy of Security “Frameworks”

2018-09-07 0 By SecureSteve

 

Step right up, step right up!  

Get your Security Framework right here!

We’ve got a framework for any type of company!

Step right up, step right up!  

The MN State Fair

The author’s wife and son, surviving the fair…

The Minnesota State Fair recently concluded, and I still have pronto pups and cheese curds on my mind.   For those that are not aware, the Minnesota State Fair is the largest fair in the United States per daily attendance.   It’s kind of a big deal 🙂

In a weird way, as I was walking through the “Mighty Midway” at the fair, where all of the games are held and people are yelling at you to try the latest game, I started thinking about security frameworks.  (My mind is a weird, twisted universe).   The above “step right up” thought rung true as I started to think of all of the ways organizations are bombarded with the concepts of “security frameworks”.

So, are security frameworks bad? 

Short answer: nope

Slightly longer answer:  Absolutely not.  Security Frameworks can be a very effective tool not only to implement a security posture, but also to provide measurement metrics around the effectiveness of that posture.

Which Security Framework is right for me?

Since you’re jumping ahead, my answer is “pick one”:

  • PCI DSS 3.0 – 228 controls
  • NIST SP 800-37 (FISMA) – 204 controls
  • SANS 20 Critical Controls  – 197 controls
  • ISO 27002:2013 –  114 controls
  • Unified Compliance Framework – 3500+ controls
  • Others…

Good luck out there, you’ll be fine!

https://xkcd.com/927/

So what are Security Frameworks missing? 

There two very fundamental things that a framework does not and will not answer.  Those are Why? and How?

Why ‘this’ framework?  Why any framework? 

In a way, this question might be laughably ‘obvious’.  “I process credit card payments, I must follow the PCI framework.”  Or, “I run critical infrastructure, and all of my peers follow SANS critical controls.”.

I don’t intend to belabor a point, but those above responses still don’t quite answer the why? question.  It is worth an exercise into some legitimate why? questions:

  • Is this framework for compliance obligations or reasons?
  • Is this framework because of industry best practice?
  • Does this framework map to my wider corporate strategy?
  • Will I need multiple frameworks to fulfill compliance obligations or my corporate strategy?
  • What are additional framework motivations?  Audits?  Recent (negative) events?  New leadership?

In most organizations, there might be answers to all of the above questions.  However, in many organizations, the answers to the above questions are far from consistent among all relevant stakeholders.  The above may seem like common sense questions.  Yet, it is important for there to be consensus around those answers for a framework to have a chance of succeeding.

How ‘this’ framework?  How any framework? 

If there is not executive and leadership buy-in across the relevant verticals, your security framework has an unlikely chance of success.  If you don’t have clout, your security framework has an unlikely chance of success.

Ignoring the bad grammar, the “how” is another a question that largely is not understood, or not well thought through.  Again, the answers might seem obvious:  “I’ll just make my team do it.”  Or, “It’s now a corporate mandate.”  Even more common “This framework says implement this control.  I’ll just make the team responsible for that component to implement that control.”

Those answers might seem straightforward, but in many organizations, there are two fundamental problems that arise:

  • Lack of Executive/Leadership Buy-In
    When you start to dig through the details of most (all) security frameworks, it is extremely rare that the control points fall under a single company vertical.  Ignoring the obvious IT and Security parts, there are controls mapped to Risk/Compliance, Finance, HR, Operations, Vendor Relations, App Dev, to name a few.  If there is not executive and leadership buy-in across the relevant verticals, your security framework has an unlikely chance of success.
  • Lack of “Clout”
    When you look at the components of all of the security frameworks, there are many ‘user-impacting’ controls that could be (will be) relevant.  The issue here is clout.  I’ve seen organizations where the CISO (that is, the Chief Information Security Officer) does not have the clout to even write a password policy.  (Not implement, not provide technology for, but not write).  If a simple password policy cannot be written, how is a simple data classification control supposed to be decided, much less implemented?  Arguably, some of this issue is due to the lack of executive/leadership buy in.  Yet if you don’t have clout, your security framework has an unlikely chance of success.

So, which framework is right for me? 

To start, any or all of the security frameworks can be very effective.  I think it is an awesome step in the cybersecurity space that some guidelines are being developed to help organizations become more secure.  These frameworks are really excellent.

However, before choosing one or some, it is imperative that basic questions are asked and answered.  This should not detract you from using a security framework.  Rather, I hope that this post provides some common sense help around the planning process.

Why do you keep mentioning common sense in this post? 

Who doesn’t like common sense, right?  As I’ve been working with corporations and organizations go through various security framework obligations, I’ve been wondering if there is a slightly more ‘common sense’ approach to their security framework initiatives.   Lo and behold, the internet came calling: CSSF – Common Sense Security Framework

The CSSF – Common Sense Security Framework 

When I came across this framework, I was struck by it’s simplistic nature.  In particular, as I’ve worked with organizations that are truly striving to take the next steps in their security posture, I appreciated this common sense approach.  No doubt it is simplistic.  However, many organizations are ready for the simple before they move to the advanced.  (Is there no value in the bunny hill before you try to tackle the double black diamond?)

I should be clear that I am not affiliated with this initiative.  However, I was very impressed with the approach.  I also appreciated a ‘framework’ that could bridge the gap between organizations that were early on their security journey, yet still enable them to move to more advanced constructs as they matured.

From https://commonsenseframework.org

The CSSF identifies seven (7) areas that require protection, along with three (3) of the most effective, useful controls in each area. The end results is a list of twenty-one (21) questions that every business owner needs to answer in order to have a fundamental understanding of whether or not his or her business is exposed.

  1. Protect Your Applications

  2. Protect Your Endpoints

  3. Protect Your Networks

  4. Protect Your Servers

  5. Protect Your Data

  6. Protect Your Locations

  7. Protect Your People

 

What I LOVE about this framework is that it covers the basics.  It truly fits the name, “Common Sense Security Framework”.  Here’s a link to the questionnaire to cover those 21 controls:

Questionnaire (XLSX): Common Sense Security Framework Questionnaire (version 1.4)

If you’d like to see a very nice presentation on the subject, take a look at this link:

Presentation (PDF): Common Sense Security Framework Presentation

-Steve

#CommonSense

#StayVigilant

#StaySafe

#LookOutForEachOther

CategoryCorporate Security
Tagscommon sense common sense security framework CSSF cybersecurity FISMA framework NIST PCI SANS security security framework

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.