Let’s be frank…
Frank Gehry responds to critics during a press conference in Oviedo, SpainPhoto via: Faro de Vigohttps://news.artnet.com/in-brief/frank-gehry-gives-spanish-critics-the-finger-143262
Key Limitations
By virtue of being generalized to a relatively broad audience…
1. Standards, and their associated frameworks, require customization and are rarely directly implementable.
2. As a result, while standards do provide the starting point for an effort, they still require expending resources to achieve a desirable result.
What are we talking about?
• Standards related to cybersecurity and risk management. Not protocols.
• Typically large, general-purpose works.• Examples:– ISACA’s COBIT 5– ISO 31000 and 27000 series– NIST SP/FIPS/etc.– Standards from orgs like TOG (e.g, Open FAIR)
COBIT 5 Details…
• The primary standard is hundreds of pages long, and overall is a collection of several documents.
• “COBIT 5 for Risk” alone is 244 pages.• This is incredibly unwieldy!
Lessons from NIST?
• There’s a LOT to the standards.• There’s a lot of misunderstanding, too.• You still need to do “stuff”…• In fact, if under FISMA, you have a LOT to do.• In private industry, take time to understand.
Closing thoughts
• Standards are useful, but no panacea.• Standards can reduce some planning efforts,
but still require work.• Semper Gumby!
Bonus Point!
Right-Sizing: Just how much do you need??
Is…
Data Value + System Value + Resilience/Defensibility
…generally adequate?