What do CISO’s Really think of NIST CSF 2.0 featuring Chris Foulon and James Azar

from the cyberhub bunker in studio you're tuning in to the cyberhub podcast and now for your host and seeso James [Music] AAR what's up Kristoff happy Friday buddy happy Friday how are you I am doing good so what do you want to talk about today I I I think the topic says it all right let's talk about this new nist CSS thing because I gotta tell you something man um n dropped the bomb on Tuesday and uh and for once I was like less critical of a nest work product than I've been ever before I was happy I was I was like okay this is actually well thought of they've obviously taken a lot of Industry feedback they've realized their shortfalls what' you think of nist I really like it I think um that the whole govern section that they added to the core of the N framework is instrumental because I think before people were just focused on the identify and how that had a small business enablement impact but not looking at the holistic business enablement impact throughout the life cycle and I think that governance aspect really just brings that into perspective yeah it's a very operational version so for everyone watching us on LinkedIn on YouTube on X twitch Facebook Instagram uh Rumble wherever um we're we're talking but you can comment we'll see your comments we'll answer your questions um this is really us kind of chatting away for the next 30 minutes about this so questions comments feedback what do you think of nist let us know I'm really curious because I've seen I I feel like people are kind of waiting for a more comprehensive approach to come out from someone in order to kind of mimic a talking point in a way and and I don't I don't want I think people should really look at it the opening document is very very detailed it's it's great it's it gives you everything you need to know the governance aspect like you just brought up Kristoff absolutely amazing it's the right thing but Above It All Above It All here's the one thing n CSF 2.0 does over 1.0 and it's really really really important it becomes operational and I think that's the one thing that was the drag on CSF version 1.0 was it seemed to be very non-operational kind of like these are controls you could consider these are things you should consider having however however now this new 2.0 is extremely operational if you download the Excel for the CSF we talk about controls we talk about business enablement we look at the entire life cycle of security and security is a life cycle that I think many people don't quite wrap their heads around and and here's what I mean by the life cycle of security security is not a aftermarket uh pre-launch concern but rather security at the foundation of it is is how does my business make money how does my company leverage that how do we turn that into what kind of risks do these things that my company does introduce to it what are the risks that we have that support the business that could hinder the business's ability to make money and then how do we leverage and manage those risks over time and this is what n CSF 2.0 really at the bottom of it all does uh uh yes a and to add to that I I love in the beginning it was known as that Rosetta Stone but what they've also done is they've added a intensively comprehensive list of crosswalks to entire other Frameworks which I've shared in the links I've shared the two links for the the ncsf uh program page as well as the the cross reference crosswalk for it because it goes across so many different Industries and allows you to generate an export just as you need it so um longer the days where you had to manually export everything now they offer that comprehensive crosswalk tool to also help operationalize it because in the past you you had to manually draw everything up now this is even Prov providing you with Json exports for you to be able to export these controls very easily into your programs one big thing by the way is if on page 10 of the kind of CSF release document at the bottom 5.1 talks a lot about improving riskmanagement communication which I felt like was a great illustration of the different levels of involv in identifying risk and managing risk within an organization going from the practitioner level all the way to the executives and often you you'll hear cyber security engineers and analysts and Chris you and I have done hundreds of podcasts I think with new newbies and newcomers and we often say like no matter what role you're coming in with or no matter what experience or what responsibility you have you have a responsibility towards the risk of the business and then effectively communicating it and this this graph you're using the CSF to improve risk management communication I think should be the Hallmark of any siso presentation to their team going in 2024 and then beyond the responsibility of practitioners is to identify the risks look at framework profiles look at implementations and ways to mitigate it they then communicate that to the managers managers ident ify evaluate look at that specifically and then we either do a change we take the risk we sign off on the risk we approve a mitigation plan and then we budget for it we we look for what can be done is it a simple control change is it a policy update is it a new tool what's coming into the environment and then that's communicated to the executives as risk identified process we went through to qualify mitigate identify so forth and the solution for it you know never spend $5 on a $1 problem but you know you definitely want to spend five dollar on a $50 problem if you can yeah absolutely and I think the other the other aspect of it that's mentioned a little bit earlier on page eight which is it brings in the the CSF maturity levels directly into the document which previously was something that practitioners like yourself and myself we had to do ourselves they they gave you the controls they gave you the description but they never said how to really judge the maturity and now they've included how to judge that maturity as part of that document to expand on it so that you could really go in see if it's partially implemented or adaptive to your environment and you're now uh zooming into that screenshot and I think that's that that's critical for people to take a look at because all too often people think oh I have a control and now I get to apply it everywhere well that's not necessarily true if only one component of your program or one application really has that control you can't really claim full credit for it and I think that's one of the aspects that was also missing from um CSF 1.0 yeah it's it's not only wasn't missing but this tier number three talks about repeatable meaning you know how often are these risks going to be introduced into your environment and how well can you manage them over a over a tiered profile and I get a lot of people look at security and and and they go well we need to defend against the bad guys we get it no one here would disagree with that but we also need to be able to identify the uh smaller risks that go into the business from these things and and and and I think that's one of them there's another one on here I believe that um adds uh you know we talked about it right before we started uh recording here and went live you brought up Chris privacy and finally there's the Privacy conversation here uh in nist because nist 1.0 didn't have privacy anywhere on it in fact you were trying to map privacy to a whole bunch of other Frameworks that may or may not mix I mean people were kind of I'll give I'll give everyone go ahead Chris to to give NES credit uh Nest CSF 1.0 was created before um a lot out of privacy Frameworks like gdpr and CCPA so um to their credit it wasn't something that was actively being promoted in the industry but I think right now uh the shift has been to include privacy as a business priority as well as a business risk because not only do you have to worry about the data that you get from your consumers but you also have to worry about why am I using it what what was the use case that I brought it in for and do I still need to keep it see I I think there's one thing in this in the nest CSF 2.0 um and I'm going to go down a rabbit hole here for just a second that that's that's that's a bit missing in in the Privacy cyber security risk perspective and that's new technology adoption stuff like llm um and AI that are now groundbreaking you know that could have been potentially added to this as an asterisk like Ai and llm models will require some sort of adoption because the one thing about this 2.0 and niston general like the N CSF in general is it was constantly an assembly of things and what I mean by it was an assembly of things it was an assembly of things you would look at nist and go all right it's it does these two things for me great I'm G to look at the CIS top 20 we're going to map and and you'd have an Excel and your Excel would be all these different controls mapped from all these different places trying to come together and the CSF 2.0 doesn't do that it actually gives you One Singular feat to manage it all now when we go to cyber security and privacy I have a greater concern that I think isn't covered here and I think that's simply because the way we're adopting llm in business large language models for those who don't know which is part of AI there's generative AI there's large language models and those are very very different from you know kind of an algorithmic type of approach to data analysis and and and and and Analysis in general because you're able to really go over larger swats of data and become much much more accurate so if you look at it from a GPS perspective algorithms could have been accurate within 100 feet of let's say someone's location llm could be accurate within six in right so data becomes much more powerful and historic data that's processed in llm becomes extremely dangerous at that point I I would say they they did include it to a certain extent if you go to um page 13 at the top of page 13 of the first uh document that you were sharing I'm I was there as I was speaking about this this piece right here it's It's associated with any privacy events arising from data processing so I think you could uh argue that llms are included in here and once you go over to uh the Privacy docu framework that I shared as well and you go to page four you'll see that these problems from Individual data um at the organizational level starts to be mentioned and I think um as you think of the the the adverse impact that as you mentioned this Legacy data has um you want to be able to remove references whenever they they negatively impact you and that's where that the concept of the right to be forgotten in gdpr as well as CCPA comes into effect and that's they start to include that adverse discrimination embarrassment economic loss as part of that uh impact to the individual and where privacy becomes an important factor here yeah I mean so so one thing you're you're absolutely correct um and and that's a good point of view on on that specifically I kind of felt like they weren't really going into the depths of it but then it's not fair for me to ask them of that because guess what llms are what eight months old yeah I mean they might be a little bit older closer to but the adop yeah but but the adoption of it in terms of corporate use of llm is probably eight months old right I wouldn't put it more than than maybe a year and I'm I'm assuming CSF 2.0 was done and signed off on nine months ago in order for them to create all the additional documentation in order to release it so this is something that we're adopting very very quickly and because we're adopting quickly they haven't had a chance to react which is fine again no no no judgment on on the fact that this is a very comprehensive framework very different from its predecessor more complete and if you look at you know it used to be identify protect detect respond and recover if if you look at the new n CSF they want us to govern and they want us to protect and then want us to use identify detect respond and recover to correspond with govern and protect and I'll I'll share it and and this is where you kind of kind of get there uh um you know there's you kind of see how they're looking at govern the operational contacts being the top of it the risk management strategy the roles responsibilities and authorities your policy your oversight and then your supply chain risk management huge but then if you look at identify detect respond and recover they're not different from n CSF 1.0 at all in fact I've looked at them one by one they're the same exact identifiers the same exact functions where the where what function did change was protect protect went to identify management they've added more authentication more Access Control they've added data security platform security and Technology infrastructure resilience those were not really in that terminology in in N CSF 1.0 and I think that is huge because if you're starting to grasp the idea of how industry is evolving it's evolving into govern CSO CSO set policy set rules of responsibilities set strategy oversight and risk management you've got your supporting teams that do the identified those are not typically your security teams right that's going to be your network your infrastructure rure your teams that that security leans on to get the Asset Risk and Improvement categories your protect is literally your security team these are your Architects your engineers your analysts and so forth your detect is your tools your respond is your third parties and your your your security operations team and your recover is part of your governance and corporate responsibility document am I wrong here Chris no you're not and and the the one thing I'd also add for everyone to really hone in on is that supply chain risk management we saw with log for J that your your digital supply chain your physical supply chain these are all core aspects of any dig digital resiliency strategy as well as business resiliency strategy so the fact that they brought in Supply chain risk management is a core aspect and I think it's very often overlooked especially by small mediumsized businesses and it can be that thorn in the side that kind of takes them down so so the whole cyber human initiative a group that both Chris and I are affiliated with I'm assuming this is Paul yes that's probably PA this is Paul um so Paul says why isn't it fair AI is over a decade old so a lot of time to smooth things out instead of knee-jerk like the speed of release do you want to tackle this first sure I'd say while machine learning and similar techniques are over a decade old I I think the speed in which they've evolved over the past three to four years has increased dramatically almost like the the the speed of development for for computer chips every 18 months or even six months that it it's been operating really quickly so um yeah I would say it's it is unfair to to to judge a a framework's ability to govern this but I think from an overall strategy perspective it is included in the the the privacy and uh data management aspects of the framework yeah the one thing I'll add to it is the use of AI has evolved significantly in the last year right the yes you're right Paul AI is nearly a decade old over a decade old but it was AI by marketing people not technological AI meaning it was was a a a more evolved machine learning algorithmic type of approach it wasn't a real artificial intelligence real artificial int intelligence generative AI essentially what makes up the large language models that are being used now in many many organizations are a year old not even and so that's where I think we give them the benefit of the doubt with the speed of release because there was a look at AI there were all these theories around it but it didn't become practical until we met chat GPT and then I I for what's the name of the Google version of it the one that everyone hates now because it's just changing history and whatnot yeah that one yeah and and so so so I haven't even used it because I've I've heard it's so choppy um but but then large language models in business cases are being used very very differently than um than specific old AI artificial machine learning on on on on a few extra servers type of deal yeah this is really developing it own logic yeah but before it was used to detect mes to uh derive statistics to to to create outputs like that now it's being used to to generate new content or new combinations of content that weren't previously created before yeah and and avishai um you know has has a great comment here don't forget this is a document developed by a committee which unfortunately severely limits both content and ability to adapt I I agree I would also preface by saying the following because it's a committee they had to have a cutoff date where it said no matter what happens Beyond this point we've got to get this thing out yes and and I I think to give credit though there is a lot of customization to it there's the ability that they've given to generate and cross reference to other Frameworks which previously wasn't provided by Nest before that had to be done by independent third parties so now Nest itself through the Committees and everything like that have created that cross reference so in addition to referencing the 800 series it also now crosswalks more nicely to CIS controls uh to ISO controls and moreover yeah you're you're you're right it's it's again it's more operational um as a as a document and and avishai is right too we have to look at it for what it is it's a document developed by a committee it's a much more diverse and educated committee probably than the first CSF document which didn't have a lot of practitioner input I think you can clearly see how many practitioners impacted this nist CSF right like you I look at it I see nothing but practitioner stuff on there right like call me a fool but I see a lot of touches from people like you know I wasn't part of CSF 2.0 I don't think you were either Chris or or aishi or Paul or anyone else watching the the the hundred or so people watching us now but it could have been I mean a person here could have been sitting on that committee could have influenced something and I think a lot of that were were were practitioners I I know several practitioners that were part of the workshops for CSF 2.0 and they shared how much it's evolved from when they first went into the workshop to when they they released it and it it was truly a collaboration yeah and this is a great you know kind of conversation driver that's the thing about this CSF you know Chris I want to ask you a question we've got about three and a half four minutes left and I kind of want to give us both an opportunity to kind of go into a short monologue here you look at n CSF you're in a room full of people who go uh another framework what would be your your sales what would be your elevator pitch of why niss CSF 2.0 is is is practical today for businesses I I wouldn't say it's a another framework it's it's the same framework where great evolutions and incorporations from other Frameworks and it it continues to be that crosswalk that Rosetta Stone of many other Frameworks that nist has pulled together and created a coherent strategy that both the businesses and government can use to help govern it yeah I I like that I think it's that's a great explanation Chris I think I would I would go one step further here and saying um mostly when you're in critical infrastructure the nist framework becomes the standard framework simply because most governmental agencies that oversee Financial Services utilities and others will lean on nist and Trust nist more than potentially a minor r a CIS not to say that those are not good or better Frameworks it's just simply that's where the doe or or DHS DOD typically Le is they go Nest right because that's essentially part of of of the inner sanctum there um and so this is a much better document than the first one it's much more practical and it's a it's operational meaning if you're a small business if you're a twers sec SEC team in aund million company you can now take the N CSF and run with it to secure your organization identify risks and mature program which I don't think you could have said about the original version of the N CSF no and I I think as aish mentioned uh it it's an improvement of the the the former one and it's definitely had a lot of great changes to it so I I think that's a a great summary that it's a it's about continuous Improvement and that's something that you should be doing with your own program you should be looking at it continuously revising it continuously and adjusting it to your the changing needs of your business 100% so we're almost at time y'all this is a 30 minute show where Chris and I kind of do what we do um just AI please if isai wants to be called Avi okay AI um we need to have ai on on one of these uh some Friday um you know so last week we talked zero trust Nest kind of threw a curveball out because we were prepping to talk about one of the first foundational pillars of zero trust today and N CSF kind of came through on Tuesday threw us out of the ballpark next week 1100 am Eastern we're gonna go back to trust but verify AKA zero trust AKA marketing term AKA how the hell do I use it in my security program we're going to do seven episodes talking about seven different pillars of zero trust really kind of going into detail if you've got topic stuff we'd love to have people kind of jump on here uh with comments like you've done today or even come on video uh um that'll be great and AVI has jokes for those who've never met Avi avi's bold so when he says he needs to have a good hair day he's bold he's got no hair zero hair always a good hair day it's always a good hair day for him I think with that we should wrap it I think that's a wrap here y'all thank you so much for uh all the people from all over uh that tuned in and watched us this morning you can connect with Chris cpf coaching.com you can follow me at cyberhub podcast.com you can follow us both on LinkedIn our LinkedIn links if you're watching us on YouTube X twitch Facebook Instagram Rumble our links to both of our personal LinkedIn are available in the show notes we really appreciate youall have a great weekend Chris as always buddy you're you're you're the man see you next Friday see you next Friday we love feedback so make sure to connect with us on social media and subscribe to our podcast on your favorite podcast listening platform