Defensive Security Podcast Episode 171

4 thoughts on “Defensive Security Podcast Episode 171

  1. Jerry,

    Love the podcast.

    Listening to episode 171, which includes Baldridge and NIST cyber frameworks. Curious why you are so negative about NIST framework.

    Hoping you can reply and would appreciate direct response if possible.

    1. Tim,

      I’m negative on the framework because it doesn’t actually accomplish anything, while giving the appearance of accomplishment. For most firms, nearly every dimension of the framework is subjective, and subject to the limitations of understanding and incentives on the part of group using the framework. Put simply, the framework can be used to justify the sufficiency or deficiency of any state of control maturity finds themselves in. Problems will not only arise from people using the CSF with impure intent, though I think that will happen much more often than anyone will want to admit, but also because those using the CSF just have limitations in their awareness of threats and controls which prevent the tool from being meaningful. As a decision tool, I fear that the CSF may be worse than useless, to steal a phrase from Doug Hubbard’s book “The Failure of Risk Management”, because the faux rigor in completing the framework leads a firm to feel they have an understanding of their security posture and improvement needs that isn’t based on reality.

  2. Great show btw the guys!

    gives me good company on my commute to work!

    quick question, I know you have spoken a few times around user awareness and the need to combine this with technical controls but how do you see the role of user awareness developing of the next few years?

    do you see it as an integral part to a companies defense in depth strategy?

    thanks in advance

Leave a Reply