If you follow infosec podcasts, you probably know Rafal as a host of the Down the Security Rabbithole Podcast — now on its 243rd episode and one of our 35 Best Information Security Podcasts to Follow. For our fifth episode, Rafal joins us on the other side of the microphone to discuss his key takeaways from years of providing strategic advisory to security leaders as well as some advice for security teams looking to optimize their programs.

Highlights from this episode include:

• 2:15 - Insights from Raf's work advising CISOs and security leadership, including how security priorities have shifted in recent years
• 14:00 - How security teams are using their budgets and resources today
• 17:15 - Tips for measuring the efficacy of security efforts
• 20:45 - The shift from constantly chasing new solutions to optimizing their existing security measures
• 27:15 - Recommendations for developing and using frameworks to guide security program maturity

We also have an exciting podcast announcement: we're now on iTunes! Subscribe to our podcast in iTunes to keep up with new episodes in real time.

Intro/outro music: "Groovy Baby" by Jason Shaw, licensed under CC BY 3.0 US

Transcript

[0:00:08.0] WG: Welcome to the Digital Guardian Podcast, this is episode number five and my name is Will Gragido. Today I’ll be joined by Mr. Raf Los, Managing Director of Solutions Insight at Optiv. Also with me today is Mr. Tim Bandos. Tim, why don’t you take a moment to introduce yourself?

[0:00:25.0] TB: How are you doing everyone? Yup, Tim Bandos, I am the Director of Cybersecurity here at Digital Guardian.

[0:00:29.5] WG: Thanks very much Tim. So Raf, really excited to have you on the podcast, episode 5 for us, episode how many for you, on your own podcast?

[0:00:38.8] RL: About to publish 243. When you guys are listening to this, 243 is already out.

[0:00:42.3] TB: Wow, congratulations, that’s awesome.

[0:00:44.5] WG: 243.

[0:00:44.7] RL: It’s been a labor of love.

[0:00:46.4] WG: Yeah, I’m sure. Well, again, thanks very much for joining us today and we’re really excited to have you. Today we’re going to have, I think what will be, a pretty interesting conversation, specifically because of your background. You and I obviously go way back in time here to a few other companies.

[0:01:00.5] RL: Further than I think we’d like to admit.

[0:01:02.2] WG: Yeah, and I know a lot about your background, but why don’t you tell the audience, you know, kind of in a brief glimpse, what your background is, kind of how you got where you are today, and then what you’re doing at Optiv in your current role? And then we’ll kind of jump right into some of the questions and answers.

[0:01:16.7] RL: Surely doodley. Raf Los, I manage the insight team at Optiv. My history goes back quite a bit. If we take the way back machine, to the late 90’s-ish when firewalls weren’t an appliance yet. Fast forward, I’ve worked for enterprises, I’ve worked for consultancies, I’ve worked for big companies, small companies. I’ve worked for one of the world’s largest networks, watching things go wrong and trying to fix them, some of the smallest and now I run a framework organization and what that means is my team is responsible for research - actually, classical research. Not what we typically think of in security, but actually studying and writing and talking on the topic of enterprise framework. So, how do you make a security program repeatable? How do we measure it? What are the requirements? What are the levels of maturity? What are the components, outcomes, capabilities? All that beautiful stuff that seems boring but we all suffer without.

[0:02:09.2] WG: Awesome. It’s all important, right? Absolutely. Programmatic elements, strategies, that’s quite important and that’s a great background you’ve got. Again, really happy to have you here. In your work at Optiv, you obviously interact frequently with CISOs from a wide range of organizations, companies, verticals, industries, various sizes, et cetera.

What do you think is at the top of CISOs’ concerns in 2017 today? Where do you think that their priorities lie? What’s keeping them up at night? Where do you think that they’re being tasked either by the business and/or stakeholders within the business to direct their efforts versus where they perhaps ought to direct their efforts, and do you see any points of contention within that ecosystem in which CISOs find themselves operating?

[0:02:54.9] RL: That’s a good question, Will. I think from my experience and sort of where I’ve been out talking to a lot of the security leaders – not all of them are CSOs by the way, I think it’s cool to acknowledge that there’s plenty of directors, managers and other types of titles there. But from a security leadership perspective, I think what’s really top of mind right now is the interesting climate that we’re in from a business perspective – the M&A, the last couple of years has slowed down in a lot of the industries.

That’s not universally true, obviously, but I think it’s some insight into the way that security is evolving and I think a lot of the shine is wearing off of the FUD that has been used to implement various levels of security measures at companies. What I think is top of mind right now for a lot of security leaders is that, they’re being asked to take a hard look at “How does security really start to impact the organization?”

Jokingly, maybe last week or a week before that, I think it was Chris Wysopal, we were talking about – Rob Rex started, if you guys know Rob, started a question on Twitter that basically said, “Hey, what are we looking at for data breach measurements and the cost per record and everything?” And we sort of got to a point of snarkiness and Wysopal said something to the effect of, “Hey, does that mean we’re through the light of the tunnel? We’ve passed it, right? The golden age of security?”

I said, “No, I don’t think so, I think we’re finally starting to see the tunnel at the end of the dark ages where everything was on fire, everything was urgent, everything was immediate, critical and the world will burn down if we don’t fix it right this moment, right now.” And I think we’re starting to look at the luminaries of the security world. By those I mean, those that are actually leading it, not just the talking heads, and starting to look at, “How do I have impact at the organization, if I have a limited amount of budget to spend, as with anything, where do I put that? If I have a dollar, where do you put it, what do you spend the most on? Is it preventative? Is it detection technologies and capabilities? Is it response? Is it the resetting of back to business, which isn’t really, typically not a security thing. But you know, things like gold images and immutable servers and backups and stuff like that.”

It turns out the answer to that is all of those. Where this is all kind of leading us to is away from the agenda where it’s “Buy! Buy! Buy!” – if you guys listen to Jim Kramer on Mad Money, he’s got that little “Buy! Buy! Buy!” button, right?

[0:05:17.4] TB: I thought you were doing an *NSYNC thing there.

[0:05:21.0] RL: No, not quite. Although that would show our age a little. But I think at this point, we’re now “implement, implement, implement,” right? All that stuff that you’ve accumulated and amassed over the years, is it doing you good or is it just taking up closet space and power and generating heat? What’s it doing? The word risk has been thrown around for years without really any actual knowledge of what the heck that means.

We’re starting to finally approach that and try to tackle it and acknowledge the fact that we really actually have very little clue on how to measure risk and look at this phenomenon in security because we don’t have enough data to look at some of the stuff. So what’s the top priority? I think it’s getting the house in order, frankly.

[0:06:00.0] TB: Right, that was a great response, Raf. So “getting the house in order,” I mean, what are the steps to doing that initially, right? I think initially it’s gaining visibility, but how do you describe that to a CISO or manager or director of getting that into their organization and saying, “This is what your issue is and this is how you solve it.” I mean, how do they gain that visibility to start?

[0:06:18.0] RL: There’s a couple of things. At the leadership level, it’s really understanding the corporate priorities, understanding the dynamics of your company. So what type of organizations do you work for? Is it a financial, is it a healthcare company? Because the dynamics of that company will be dramatically different than in, say, an educational not for profit, for example.

The way that you’re targeted, the way that you defend yourself, the tolerance for downtime and loss are all different. The math formulas that we typically see tossed around largely don’t account for that. I’m seeing some of the new stuff start to accommodate industry trends and the market that you’re particularly in. But on the whole, risk is not risk, right? Even threat is not threat is not threat.

There’s a ton of these changing priorities and step one generally is, “What are the dynamics of my company? what do I have at my disposal, what are my current capabilities?” That actually goes back to looking at, “What’s my budget, what’s my inventory of my team, how many people do I have, what are they doing right now, what are their skill sets, what are their hopes and dreams and aspirations and how am I going to keep them here, as opposed to training them and having them take off for a better job?”

So a lot of that is inward-reflective and, you know, I’ve heard — and this is a phraseology I haven’t heard in a long time since leaving GE years ago, but I’ve started hearing people ask for things like tools rationalization exercises and I about fell out of my chair recently when somebody asked me that because I just sort of went, “I’m sorry, I must have heard that wrong. Did you just ask for a tools rationalization exercise?” And they’re like, “Yeah, last count we have about a 127 different security tools at our disposal, we’re trying to understand what we should keep, what we should upgrade, what we should collapse. When you’ve got three or four tools that all do relatively the same thing but each have like a 1% thing that the others don’t do so well and so you buy because that’s what we’re taught, right? “Buy best of breed.” What in the world does that mean? Does it all work together, is it providing you actual benefit or is it creating more noise? That’s all becoming part of these tools rationalizations.

Then ultimately, I think the last part of this is strategy assessments. Some executives are doing them on their own, some of them are contracting third parties, but it’s the question of, “Here’s what I think I know about my organization and how we should be defending ourselves. How does that line up with, what organization/whoever is assessing them, what are you seeing?” A lot of that is getting away from these checklists that we’re being asked to do; controls assessments. While I heard very recently, from a CISO that I’ve worked for and respect tremendously in the past, we had this conversation about what he’s working on and he said, “Right now, my biggest thing for this quarter is to justify why I refuse to comply with controls assessments.”

I said, “Okay, expand on that for me for a second because that’s interesting to me. Because doesn’t it fall that once you have all your controls in place, you can just sort of go ‘okay, I wash my hands on this and if anything bad happens, I did the best I could, look, I checked all the boxes?’” He’s like, “Yeah, but think about it this way, you know, controls assessments look at an orange and say, ‘Hey, that’s an orange.’ But realistically, is it a California orange or is it a Florida orange? Is it an orange that was raised in the orbit around the earth or was it raised on the moon? Is it sweet, is it sour, is it orange, is it green?” Right?

So looking at it from a slightly different perspective and he’s like, “I fail controls assessments all the time because I don’t have, for example, I don’t encrypt all of my endpoints and like, there’s endpoints we don’t encrypt and I fail controls audits. Then I have to tell people that it doesn’t matter if I encrypt my endpoint, none of my endpoints actually have any valuable information because they are all virtual desktops. So that control is a waste of my company’s money,” and he’s like, “That’s what I’m spending time on,” and actually, I’m seeing more and more of that.

It’s actually a pretty interesting approach to things, but I bet that is not a fun conversation to have with an assessor that simply looks for, whether it’s PCI or banking reg or somebody looks at, “Is this control in place? No. That’s a fail.”

[0:10:23.5] TB: Yeah, checkbox auditing, I completely agree. That’s a great response. I mean, so he’s taking more of a risk-based approach, then, to the controls. So if the level of risk is X, he doesn’t, I guess, abide by that rule? Is that what he’s doing there?

[0:10:36.6] RL: Yeah, that’s the idea right? It seems sort of intuitive but it’s not…

[0:10:41.1] TB: Sounds straightforward to me, yeah.

[0:10:42.5] RL: Right? But that’s not the way we’re taught to behave, necessarily. We’re taught to behave — so one of the interesting side effects of my job is I talk to a lot of CISOs, because who cares more about repeatability and shortcutting the line in that success curve? Well, obviously, a new CISO – somebody who has never been a security leader before, right? So I talk to a lot of them and they’re like, “Look, I just inherited this organization, it’s a mess from best I can tell. I’m told, ‘Tell us what you need to spend and justify it and we’ll make it happen within reason.’”

He’s like, “I just don’t know what to spend on. I just generally don’t know what to spend the money on. Should I be buying endpoint tools, should I be buying — or do I go buy a mail gateway? Or should I full disk encrypt or should I make sure that all of our badge access and remote access is good?” He said, “I can‘t do all of those. So what do I do first?” Those are some really, really hard questions.

I’ve got to tell you, I’m very excited that our industry starting to ask these types of questions because I hear them more and more and when I don’t hear them from consultants, I hear them from the leadership out there – some of it is management, some of it is leadership, and if you guys listen to podcasts, you know those are not synonymous. I am hearing a lot of that, that, “Look, I want to solve a problem but I’ve got to first understand whether it’s a problem.”

[0:12:05.0] TB: Yeah, it’s great to hear. Yeah, go ahead Will – I don’t want to commandeer, I have a ton of questions for this guy.

[0:12:09.3] WG: No, go for it, yeah. No, I think that’s an interesting point, right? Effectively, this is, you know, this doesn’t come as too much of a surprise to me, just by virtue of my own travels as well, that understanding of your environment and understanding of the business that you’re a part of, right? The role in which a security organization plays as an enabler as opposed to a cost center is really paramount to the success or a failure of a CISO, right?

I think it’s good and it’s refreshing to hear that you’re seeing CISOs take and embrace those thoughts and those ideals and really apply them in a way that’s mindful toward the business and toward the goals that the business has as it relates to the security organization. I really do, I think, you know, you hit on something too with regard to compensating controls and audits, right?

I had to kind of quietly laugh so I wouldn’t be picked up on the mic – you were talking about the CISO who gave the example of failing an audit because he lacked a compensating control for, no whole disk encryption on a system that was actually a virtualized desktop. How silly, right, is it that our industry can’t change and evolve, and specifically speaking, those individuals and those government bodies that are tasked with auditing and providing assurance in environments that require such assurance, from a government’s perspective, to the evolution of business, right?

How silly is it and would it be to find yourself having that conversation? I imagine it’s silly but at the same time, I imagine it’s quite confounding and potentially very irritating when you have to describe how a system works that’s essentially speaking a terminal and it doesn’t actually contain any data and why that shouldn’t be a failure and why it actually, to your point earlier, should be something that’s just, simply stated, not part of the equation so that better uses of effort and resources, and time and effort and resources can be realized. So yeah, really good stuff.

Raf, what do you see with regards to budget and resources being allocated in your experience too? I imagine that CISOs are contending with a lot of things, right? Obviously the evolution of infrastructure and the evolution of computational models and how we compute and how we work in a transient fashion and kind of the continued erosion of the perimeter, right?

Where do you see most of those budgetary efforts being concentrated and personnel efforts? Do you see a higher degree of effort being placed on incident responders and intelligence entities and analysts? Do you see greater degree of emphasis being placed on operational security folks? Where are you seeing people allocate their money, or is it more or less, more so a case where funds are being allocated towards services or technologies?

[0:14:45.0] RL: I guess a lot of it, the answer to that question is, it depends really. I am seeing, and this is kind of what a lot of the industry analysts are saying so this won’t be anything startling or remarkable I don’t think, but there is a tremendous focus, as I said, on things like tools rationalization strategy development, which means “We bought a bunch of stuff,” right?

It’s all humming away in our environments, there’s seven different endpoint tools, there’s three different web gateways, we have like two different antiviruses, if you’re lucky, across all these acquisitions we’ve done. What of this actually is helping me versus what of this is hurting me? So we’re seeing a — I’m seeing a lot of services-driven product purchases, but it starts at the services level, which is basically “Help me make sense of,” those companies that are making spends where they are having these budgetary discussions that I’ve been a part of, a lot of it is going towards “Help me understand my space, help me understand the kind of house I live in and whether I’m even, should I be — does it make sense for me to build a bunker or a house of glass? What makes the most sense? How many different tools is it okay for me to have versus what would make more sense and make me more operationally efficient?”

So I think, if I’m understanding what I’m seeing right, there’s a huge emphasis on operational efficiency, which is where I find my team doing a ton of work is somebody says, “Hey, no, we don’t need to talk to anybody about IR, we’re good,” and I’m like, “Great. Let me show you what my framework looks like and you guys can just simply self-assess to that.” It turns out they come back with, “You know, I’ve never even thought of that as that is part of IM, well, incident management,” right? There’s so much to do in that space; having IR tools, that’s very significant but not the overwhelming part of it, being preparedness and planning and practice and all this kind of stuff that goes into it around it and sometimes that drives budget on the product side as well.

But that’s the kind of thing I’m personally seeing and the kinds of discussions I’m having is there is still tremendous amount of confusion with respect to, “What’s my next step? I’ve bought a bunch of stuff, I’ve got it all installed, some of it works, some of it is just simply installed and sitting out there, some of it I can measure the value it’s giving me, some of it I think it works right, maybe?” That’s kind of where I’m seeing things.

[0:17:11.5] TB: How do you measure, though, some of those internal tools that are deployed for efficiency, effectiveness, or identification of, let’s say, attacks. Say you have an endpoint tool, like the EDR’s a big space right now, right? But you don’t know what you don’t know, right? You don’t know whether or not something has infiltrated an organization or not. So how do you describe that to a CISO? What is the best way of measuring that internally within someone’s organization?

[0:17:35.5] RL: I think the approach that I take with the leadership I talk to in the security space is, from a measurement perspective, right, let’s decide what value looks like, what you're trying to achieve and whether what you’re doing and the tools you're using are helping or hurting. Something that I’ve seen, a trend that I’ve seen over the last seven, eight years, has been a shift away from defining process and strategy around tools, especially in the endpoint space because there are so many options.

We’re starting to realize that the tools that we buy should support our strategy and our workflow and the way we operate — not the other way around — and I think if there’s a takeaway here, I think that for me is it. There’s a realization that “Let’s figure out how we want to operate, what processes and work streams you want to develop, who those will be, define how we’re going to measure value and then go find the tools gaps that we have today.”

Because okay, let’s focus on that endpoint EDR space you identified for just a second there. If you’ve never had — say you are the CISO that’s got EDR vendor X, you’ve never detected a breach, you’ve never had malware on your endpoint, you have to be asking yourself, “Am I not seeing it or am I not catching it, or does it simply does not exist?” So, “Do I not know that it’s happening or is it just that it is not happening?” And the answer typically involves looking broader than that thing.

So if you are talking about endpoints, what’s the impact to productivity? How fully deployed are you? How much time does it take to manage? If you are not seeing anything ever pop up off your dashboard, I recommend a thorough — go back to your vendor and do a thorough review of whether it is working or not because I can tell you, in the last 12 months I’ve not met anyone that’s not had anything significant popup on their dashboard at some point.

So if you are seeing nothing, it’s probably a bad sign. But the odds are that, whether you have a technology gap or not, it needs to be able to fit with the world view that your organization has because if you are trying to do, let’s pick on application whitelisting for a second. If you are trying to do application whitelisting in a company which culturally and historically has not been used to restricting endpoints, one, you’re in an uphill battle, two, you’re in a knife fight with a group that is armed with bazookas, and then three, you’re going to get cheated every chance you take because somebody is going to go, “Well prove to me that this is going to work.”

Go ahead, I dare you - try to prove to somebody that’s already stacked against you that what you are going to try to do by restricting them is good and then you will end up with things like arguments, “Well this technology restricts the company’s creativity and creativity is what drives this company so therefore we can’t have this technology.” Sometimes that’s a copout answer, the rest of the time, and I suspect that is more often true than not, that’s a good answer. So what do you do then?

[0:20:31.9] TB: Yeah, that’s a really great point and you really just described one of the last companies I worked for because culturally, or what they’re used to, sometimes obviously could be impeded upon by using something like application whitelisting or locking things down. So I 100% agree. That is a great response, Raf.

[0:20:48.6] WG: All right, so we talked about some of the challenges you’re being exposed to in your work with CISOs and what you are seeing them struggle with and then we talked a little bit about efforts from a strategic perspective as well as a monetary and a resource allocation perspective. We broached the subject of patterns with regards to security strategy and the prioritization they’re in – specifically speaking, taking advantage of what I would think of as being the realization of what we have on hand and how do we best optimize and maximize the value there before we go out and augment that. Do you see any current trends or potential trends associated with people foregoing that potential for optimization or the opportunity to optimize what they’ve gotten truly maximized and realize what they’ve already invested in, in lieu of chasing the next shiny service, or the next shiny product, or the next aggressively marketed concept? Do you see that happening Raf or do you see a more metered and measured approach to being brought to bear amongst the CISO community?

[0:21:54.2] RL: I think by and large with the amount of mentoring and sharing that is going on out there, just a quick hat tip to the Advisor Alliance and what they are doing in terms of helping, effectively, CISOs help CISOs, right? So a lot of the fear driven slide decks that you’ve seen if you’ve worked on the enterprise side from vendors, a lot of that is going away because people are calling BS on it. In fact, I’ve been in a couple of meetings that start off with, before anybody says anything, the person who is running the meeting on the CISO side says, “All right, let me just give you guys the lay of the land. I know the space, I know the problems, talk to me how you’re going to solve it and tell me how you’re going to work with my environment.” So that is a fantastic thing that I love hearing because it shows me that there is an awareness of sort of the other, like, the naiveties is gone in a lot of these cases, which is fantastic.

But there’s still going to be the, “I’ve got a nail poking out of my wall, somebody quickly sell me a hammer,” and a lot of those people, that market, is never going to go away because it’s always going to exist — it’s always going to have a place. I am seeing a shift towards a metered strategy that’s looking down the line and saying, okay, let’s just say that the panic is starting to subside with respect to “Oh my gosh we are going to be hacked, oh my gosh things are going to go sideways.” That is starting to go away.

So behind that is a more metered, more rational approach to the way we approach enterprise security that incorporates conversations with legal and HR and risk and actually looks at tools and processes and workflows and how people interact in company culture and company profile and that is an absolutely evolutionary change. So I think that that focus from purely tactical to a more strategic, strategy-driven organization and away from “management by headlines” as I like to call it.

I had a CIO I worked for once that whatever the headline of that week was, you can guarantee we were going to be asked if we’re on it, if we have a project activated to go deal with that – whether it was relevant to us or not, whether it was real or not. That’s just how it worked, and so these headlines, these giant headline making incidents that we’re seeing, it’s starting to impact — yes the board will ask you or your boss will ask you if you’re a CISO, “Hey just saw company X got breached. Two questions: one are we going to get breached the same way? Two, does it impact us?” Be prepared for that, totally, but it should help you adjust the way you implement your strategy and not drive your strategy altogether because then you end up with things like projects that never get finished because you’re, “shiny ooh, shiny ooh, shiny ooh,” and it’s just chaos and spending forever.

[0:24:38.9] WG: Yep, no I think that that is absolutely correct. I think you’re right. I think that they’re a long time in the space and in the industry and it’s understandable, right? Because, not to be on a soapbox, but it’s understandable because of the way and the nature of which things are presented and marketed, right? No one goes out and says, “Hey, we’ve a somewhat adequate product, would you like to take a look at it?” People market with the intent of selling, so that’s understood.

But I am glad to see that people are actually taking the time to take stock in what they have already invested in and then making an informed decision with regards to where they need to minimize those gaps, or where they truly need to invest in new things. That really is encouraging to see.

[0:25:15.8] RL: And, Will, I’m very hearted the fact that things are moving in that direction of where the notion of strategy and tactics is being discussed, long term planning, short term adjustments, metered value, KPI’s, KRI’s, these things are being all discussed in security leadership discussions that we’re having, and just generally. I think this is a big deal to me. I’m pretty excited about that.

[0:25:41.5] TB: Raf is that across the board? Like larger organizations particularly or smaller ones too? Who’s all getting prepared for that?

[0:25:48.0] RL: You know what’s really cool? Some of the biggest have done it before but they continue on that path, the mid-sized ones are definitely getting into that game now, and everybody else is going, whether you have $500 million in budget or $500 of budget, you still have to know what’s the best return on the spend you are going to make and you learn this quickly as a child because your parents give you X amount of money to go spend in the candy store and you can’t take everything.

If you buy this, something else you have to put back and so I feel like we’re starting to become big kids and we are learning how to spend our money wisely and expect returns on it without trying to calculate some black magic ROI on the backend of it to justify insane notions of absolute security and things that have any sort of 100% in front of it because there is none.

Death and taxes, that’s it folks. It’s been that way since the dawn of time, right? Since we started keeping track of this stuff. Eventually things will devolve into an unfavorable situation and you have to be prepared, as prepared as you can be for it, and when you’re not, add that to your strategy for the next time.

[0:26:58.8] WG: That’s great to hear.

[0:26:59.8] TB: Excellent. So we’re getting close to that time so why don’t we go ahead and take a moment to finalize our questions for Raf. One question that I do have for you, Raf, is you’ve obviously got a passion for advocacy of frameworks as it relates to security programs. It actually reminds me of some of the work that I did years and years ago in consultancies prior to going into the vendor space.

What is your perception of the adoption of frameworks today as opposed to maybe 12, 13 years ago? Are people more open and ready to adopt and perhaps in a turnkey style and fashion, bring a framework in place and then subsequently implement the appropriate resources to make that framework a reality? Or are you seeing bigger and larger scale programmatic developments built off of the premise of risk awareness and all things that involve things like ISMS’s and things of that nature within organizations?

Where are you seeing efforts and energies placed? Are those efforts and energies being realized in a way in which is advantageous to the business, or are you seeing any degree of futility associated with those things? What’s your thinking on that? Where do you see things going?

[0:28:01.6] RL: Well, I think as a parting thought, particularly on frameworks, because that is absolutely something that I am very passionate about and aside from the answer of the ones my team produces obviously, but I think overall I am a big fan of NIST. I think the general applicability of something that large – look, any framework has two major challenges and when you start to understand the challenges behind it, you can understand the utility of any particular framework.

Anything we do, or NIST included, has the same two problems. One, being broad enough to be applicable to just about everyone, right? And, at the same time, being specific enough to be useful and that sounds really easy until you try to write that down. Because any framework, whether it’s a framework for building a car, if you say “has to have four wheels,” not every car is going to have four wheels. Some have six, what happens then? What if you have three, is it still a car?

So the whole notion of “has to be specific enough and at the same time accommodating enough,” these are challenges I think NIST, of all the frameworks out there, I think NIST is a good one to start with because I think NIST looks at things from a logical perspective and I am a big fan of frameworks because I think if you are not building off of one you’re guessing and if I was guessing, I’m probably be wrong. So I don’t like to guess.

People’s privacy, profits, and, unfortunately, sometimes people’s lives is what we play with when we guess and I’d rather not. I’d rather build off of something somebody else has done well and if that’s the case then frameworks are the place to go because you choose one that has some industry sourcing, that has some history around it, that’s been done before so that you don’t want to be reinventing the metrics to use and the way you derive value every time.

Because if I have learned anything, it’s that everybody is special but we’re all still snowflakes at the end of the day. So that specialness is what requires flexibility. The fact that we’re all snowflakes is what requires some formality and that’s what I’ve spent the last two and a half, coming up on three, years — holy cow it’s going to be three years soon — working on and solving for that, to be able to drive repeatability, scale, efficiency, those are all important to me.

[0:30:18.9] WG: Excellent, very good. Tim, do you have any final questions or comments for Raf?

[0:30:24.2] TB: Yeah, I guess just one more, Raf. On the point about the NIST framework, do you guys have assessments against the NIST framework for organizations just to see where they’re at along that stage, or how do you go about pitching that?

[0:30:36.3] RL: The nice thing about NIST is that you can go download it and run your own checklist. You don’t have to go pay a consultant to do it. I think that’s a nice thing. The thing that I think the consultants and others provide value in is helping you make sense of that, given somebody else’s broad experience, what part of NIST is relevant to you? That goes back to, because NIST is a set of controls, are those controls going to be valuable for you?

It’s a good question. Are they going to be valuable for your industry? Better question. Are they going to provide value to you in a way that is measurable and more valuable than another control you can put in? That’s the question right there. So that’s my take on it.

[0:31:11.4] TB: Yeah, that’s a great point. I think it’s really just digesting that framework. For some companies it might be too much, so having your expertise in there it would be certainly ideal. So that was great Raf, thanks.

[0:31:20.4] WG: Awesome, well thanks Raf very much for joining us again. Thanks also to Optiv for endorsing your participation, we really appreciate that. That’s all for this episode, episode number five. Two housekeeping items before we conclude, first one being our next episode, episode six, we’ll have special guest Mr. Dave Lewis, the Global Security Advocate for Akamai, will be joining us and that will be taking place the last week of May.

So not too far away getting on with Mr. Lewis and talking about all things related to security from his perspective and in addition to that, we’ve got a contest going on right now for you, our lucky listeners. We are in the process of raffling off a free pass to B-Sides London for a listener who can answer the following question: Based on Raf’s experience, what is the top focus for CISOs today?

Listeners can check out the Digital Guardian Blog for details on how to enter, and also look for information there with regards to announcement of the winner and also on our Twitter feed. Thanks again Raf for joining us. Tim, thanks for your participation in making this podcast go smoothly as always. Thank you to the listeners, we welcome your feedback and we really appreciate you taking the time to listen to what we have to say. Until next time!