Unties the ‘security’ (cyber-physical) paradigm

My experience in the security industry, both cyber (intangible) and physical (tangible) goes back over 30 years. During the years I gained experience in various industries, most of it while serving as K.I chief methodologies and complex projects. One of the very first things that Mr. Tim Kasse (K.l owner and CEO) told is the most significant foundation for successful project and mutual journey with any organization is common vocabulary. Means that the standards, models and all other external guidelines must ‘speak’ the organizational language and culture.

And why?

Recently I met someone from a very interesting niche industry for an introductory interview, we discussed cyber security concepts and then he asked if I follow and/or work with the cyber architecture, I said that I don’t as I am not the tools guy, but rather the process and cyber security management system like NIST-CSF or NIST 800-53 and others.

The ‘gap’

What he called architecture the industry refer as Framework

My gained insight

In the past two days I spent some time researching this new niche and found

Not less than 15 organization (private and public)

Not less than 15 countries

Not less than 7 federal agencies

Who collectively publish over 650 standards and guidelines which use deferent language and vocabulary

Not less than 1,200 controls

Not less than 16 critical assets groups

All these as part of and on top of the ‘cyber industry’ and communities common publications (such as NIST- CSF or DHS-CRR), and before we start the ‘pure’ physical aspects (same magnitude), as of the cyber practices have elements of physical security of assets, or the human injected threats (related to both)

?My vision and intention

This overwhelming availability of documentation which in most cases overlapping, pushed me back to my 2008 CMMI-Mils and 2010 Strategic Technology and Operational Risk Management (STORM) publications, which were awarded for creativity and practicality during NDIA conferences. What inspired me to develop these models was the 1997 Software Productivity Consortium illustration of the CMM quagmire. (published by Sarah A. Sheard, Software Productivity Consortium)

And in light of more recently 2021 SEI CERT division mapping of high-level cybersecurity challenges publication

Strategic Intelligence (weforum.org)

In the past 6 years I developed bits and pieces of it and this meeting drive me to develop the same holistic integrated management system for cyber-physical domain so ANY organization would be able to find his best selection of practices that best serve its business mission and objective while keep full compliance tractability to standards and guidelines, and to share it.

In my next posts I will start and lay down the foundation for mapping, understanding and practical use of the different standards, models, guidelines and tools of the cyber-physical domain, with a given focus for the human aspects of it as it the bridge between.

My next post would probably be the common frameworks crosswalk and reference as well this niche industry mapping.

If anyone would like me to differently prioritize and/or consider your topics of interest to align an integrated and combined implementation map, please comment publicly (so others may join the request) or privately.

As said the next (as of now) two posts are:

1.????? Common cyber-physical map / niche market

2.????? Recommend organizational roadmap and implementation plan from mapping and gap analysis to full and real resilience