We are looking at establishing a cybersecurity technology capability model to support our cyber transformation program and are looking for an industry ‘best-practice’ reference model that we could leverage / adapt to support our needs. What models / frameworks would you recommend to accelerate us in doing this?
Given what you've posted, I suggest sticking with the NIST framework. There are some pros and cons which you should be aware of.
Pros
1. Industry Standard: The NIST framework is widely recognized and adopted across various industries, providing a common language and foundation for cybersecurity practices.
2. Comprehensive Guidance: It offers a structured approach to cybersecurity, covering five core functions: Identify, Protect, Detect, Respond, and Recover. This framework can guide your capability model development across these functions.
3. Risk-Based Approach: The NIST framework is risk-focused, helping you prioritize your cybersecurity efforts based on your organization's risk tolerance and threat landscape.
4. Alignment with Your Current Practices: Since your organization is already using the NIST framework for baseline and progress tracking, aligning your capability model with it ensures consistency and a seamless integration between your existing cybersecurity efforts and the new capability model.
5. Support for Communication: The framework's structure and terminology enable clear communication about cybersecurity matters between technical teams, leadership, and stakeholders.
Cons:
1. Requires Tailoring: The NIST framework provides high-level guidance, and you'll need to tailor it to your specific organizational context and goals. This customization might require some effort to ensure a perfect fit.
2. Not Fully Detailed: The framework doesn't offer exhaustive details on how to implement specific technical controls or capabilities. It provides a foundation, but additional research and adaptation will be needed to build a comprehensive capability model.
I believe the NIST framework will be great for achieving your goals...
1. Common Language: The NIST framework's wide acceptance and structured approach will help establish a common cybersecurity language across your platform and technology teams. Its functions and categories provide a clear structure for discussing capabilities.
2. Mapping Initiatives and Work: The framework's five core functions can serve as overarching categories into which you can map your initiatives and work. This mapping allows you to create a heat map view that highlights which capabilities your initiatives address and progress, ensuring coordinated efforts.
3. Communication of Decisions and Policies: The framework's structure and well-defined categories enable you to communicate key architecture decisions, standards, and policies aligned with specific cybersecurity functions, thereby empowering decentralized decision-making while highlighting any gaps.
4. Supporting Strategy and Roadmap: The framework's risk-based approach will assist in building and communicating your wider cybersecurity strategy and roadmap. You can showcase how initiatives uplift capabilities over time, helping stakeholders understand the journey toward improved cybersecurity.
By aligning your capability model with the NIST Cybersecurity Framework, you'll leverage an established and respected foundation that supports your goals of language standardization, mapping initiatives, decentralized decision-making, and strategic communication. While some customization will be needed, the framework's versatility will allow you to tailor it to your organization's unique context and needs.
Thanks -- really appreciate the considered response and very much in line with my instincts as well. We are certainly looking at the NIST framework as a good starting point, but as you said there is work to be done to translate that into a form of technology capability model that can be used in the way we are discussing. I am intrigued that there isn't some form of capability framework available for NIST, as far as my research goes to this point, as the alignment of NIST to a logical (and eventually physical) architecture would seem like a powerful approach. Do you any thoughts on why this might be the case? Also is there any security architecture / capability models that you would look at as an input to building out a NIST aligned model?
2. For non-regulatory business, ISO 27001 can be starting point then continuous posture management
(1) Establishing a common / shared language for cyber security across our various platform and technology teams
(2) Mapping in flight and planned initiatives and work to the capability model so we can identify and provide visibility of:
- The scope of the program of work in terms of capabilities that it is addressing / progressing (i.e. heat map view, rather than just spreadsheets of lots of activities / work)
- Where work / initiatives are focused on same capability and thus may require coordination / alignment from an architecture perspective
- Capabilities that do not have work / initiatives mapped to them and thus may have been missed / require further focus Assess the current maturity / progress of capabilities to understand where further effort/work may be needed to uplift these capabilities over time
(3) Communicate key architecture decisions, standards, guardrails and policies that initiatives/work need to be aware of and comply with, thereby empowering decentralised decision making; as well as surfacing where there are gaps that need to be resolved.
(4) Assist in building and communicating the wider cyber security strategy and roadmap in terms of how this is uplifting capabilities over time.
Internally our business is utilizing the NIST cyber security framework going forward help us baseline and track progress in uplifting our security capabilities, so keen to ensure that the capability model is aligned with this framework. Many thanks in advance for any guidance or learnings that can assist us in accelerating this important for our enterprise.