Feed your Appetite for Reduction. Meet us at booth #605 at AWS re:Invent.
I’m excited for this one! I’ve been working on this security mind map to capture how I think about security for some time. If you’re just here for the mind map, you can jump to the end. I encourage you to share and use the mind map to create a dialog. I create content not to imply there is an absolute right, but to create discussions that help us all get better!
When there is transition there should be reflection. In context, any time I change roles, move within a company, reach a new quarter or new year I ask a few questions. Why does the CEO, CFO, and board care what I do? What have others in this role done to succeed? What do I do differently, both positively and negatively?
Over the last two months I spent a lot of time thinking on these topics. As I wrote down everything in the CISO domain, and looked at how other folks organize thoughts, I felt that most of the conversation and mind maps seemed tactical. Those methods may work for others, but I want to share what I felt better represented how I think.
Let’s start at a high level and work down to the mind map.
The most time in a given day is spent on governing risk, the second bullet. The other two bullets deserve their own articles, which are in the works and will come separately. The mind map and the rest of this article will focus on this primary day to day risk management.
Before building a mind map of functional areas, procedures and controls, we need to understand the risk to be managed. At the highest level a breach of confidentiality, integrity, or availability of information systems or data, would lead to one or more of the following risks.
Second to a list of risk domains, we need a governance framework. The most common framework referenced is the NIST information security life cycle model with five phases: Identify, protect, detect, respond, recover. I actually prefer a seven phase model. I think certain activities do not receive enough prominence in the NIST model. For instance supply chain and third party risk programs are risk avoidance processes. You will see in the mind map, this creates a better framework for breaking out work into an organizational model.
With this framework, we can manage our risk domains. Thinking in these terms It’s easy to map process and technical controls to a phase, and then create teams, projects and tasks for each functional area.
Below is the mind map I created that does just that. I looked at controls, processes and industry standards that we use to manage the above risk domains, mapped each to the risk governance model /framework and created an organizational structure overlay. For small businesses one person may have to manage all of this, or it may be one person per “team”. No matter the size, this framework can be used. (See the Dynamic & zoomable mind map here.)
If this is helpful and enough people enjoy the framework, I will work on a second to map control standards to the framework, maybe ISO 27001. Drop a line and let me know if this was helpful!
Thanks for reading!