And so to the future
What CSF did so brilliantly was to single-handedly turn Security from a bunch of technical controls into an end-to-end set of processes within a capability model. Suddenly, Security went from being an unimaginable spaghetti of interlinked technologies, to a set of tasks, for people. If (and only if) those tasks could be automated, THEN we would replace them with a tool.
This gave me the governance I was looking for - not paper policies and standards, but ownership of controls at multiple levels of organisation. Over time I have come to recognise that this gives so much else - gap analysis of the framework can identify areas requiring maturing with people, process or tooling; it can identify a target operating model, org chart, help drive costs; it helped me build and deliver projects, business cases, a security programme and a business plan. A powerful tool.
But as I developed these things, I realised there was one element that it could also give me that was gold dust to a CISO - Executive reporting, which in turn could help me deliver value back to the business at long last.
This was literally the point at which I decided I was finally "good enough" to become a CISO, and by dint of fate I was approached for a role soon after. I applied this model, which I had done as a consultant twice previously and the effects were staggering to me.
So now I've taken a step back, collecting the data to provide this value back to the business was time consuming, analysing it even more so. I knew it was possible to do this with a database, if only the collection tooling existed. It didn't, so I am now building it at Procordr along with my co-founder, Phil.
This journey has taken me over 20 years, and I find myself looking at the problem afresh as we decide how to turn this into reality. I'm engaging with CISOs as advisors, investors and potential customers - somewhat easier as they are my friends and peers, but the messaging and marketing is still very hard. 20 years into a 3 minute pitch.
If you'd like to be a part of where we take the story next, drop me a line, a DM, an email or even just a like.
Head of Security Business Engagement | Security Strategy, Cybersecurity
4 年Part 2: https://www.dhirubhai.net/pulse/focus-process-rob-newby
Head of Security Business Engagement | Security Strategy, Cybersecurity
4 年Part 1: https://www.dhirubhai.net/pulse/security-primer-business-rob-newby
? BEST SELLER - I Help Aspiring Pentesters Land High-Paying Jobs, No Experience Needed, Using the Attractive-Reality Method!
4 年Hey man.. what are the roles & responsibilities of yours as a CISO?