One of the keys to CISO success is to choose a framework to guide the work of your security program and, ultimately, simplify the complex world of cybersecurity in a way that can be more easily understood by business leaders.

But, what framework should you choose? How can you make sense of the veritable alphabet soup of cybersecurity frameworks that are available?

After working with a number of clients and students in organizations of varying sizes and maturity levels I find that it’s useful to segment the landscape of cybersecurity frameworks into three buckets: control frameworks, program frameworks, and risk frameworks.

1) Control Frameworks

Let’s begin with an analogy. If you want to be a writer you have to first start with a strong grasp of language and vocabulary. The words you can use in your writing are contained in the dictionary. Similarly, the security controls you can implement are described in various control frameworks.

NIST 800-53 is a comprehensive control framework. It contains every possible security control you might want to implement. Obviously, you can’t and don’t want to implement every single control possible. This is why NIST 800-53 has grouped controls into low, moderate, and high-impact categories so you can identify the appropriate controls for your situation.

Another control framework is the Critical Security Controls developed by the Center for Internet Security (CIS). They define the “Top 20” controls that have been shown to mitigate the vast majority of the most common and impactful security attacks. Based on attack data and years long collaboration between government agencies, enterprises, and organizations of varying sizes the Critical Security Controls have become a guide that defines some of the most useful “words” in the dictionary.

2) Program Frameworks

I see many organizations start their security journey with the Critical Security Controls. It’s a great foundation but, to stick with the analogy, a writer doesn’t become successful simply by using the most common words in the dictionary. She needs to know how to put these words together in a way that is pleasing to her readers. In some cases, she might need a style guide to serve as a reference point for writing documents. A program framework is like a style guide.

ISO 27001 is a comprehensive program framework that defines the requirements for setting up an information security management systems (ISMS). This consists of the policies, procedures, processes, and activities beyond the technical controls that you should implement to have a robust program.

Another popular program framework is the NIST Cybersecurity Framework (CSF). It defines five high-level functions: Identify, Protect, Detect, Respond, and Recover. These five functions decompose the complex world of security into simple categories that model the high-level lifecycle of all security activities. Because it is simple, it also gives security leaders a way to more easily communicate about their security programs.

Like a style guide, a program framework allows you to conduct high-quality, efficient editing of your security activities.

3) Risk Frameworks

Beyond the activities defined in control or program frameworks you also need a way to determine which capabilities to prioritize. What do you do first or not at all? How to you make this determination beyond just a checklist of activities?

Once again going back to the writing analogy a skilled author knows how to tell a story that resonates with the audience. Similarly, a risk framework helps security leaders assess and manage risk in a way that resonates with the business.

There are a number of frameworks that define approaches to risk assessment and management including NIST 800-30, NIST RMF, ISO 27005, COSO ERM, among many others. Historically, many of these approaches have taken a qualitative approach to calculating risk using things like ordinal scales. This is where a quantitative approach like Factor Analysis of Information Risk (FAIR) is helpful. By marrying foundational risk management program elements with a more rigorous approach such as FAIR we can craft a story that better resonates with the audience.

In Summary

My mentor Steve Katz once told me, “There are no security risks. There are only business risks.” Modern security leaders must have a deep understanding of business goals and strategies to effectively manage business risk.

It’s not about choosing the one framework to rule the world. Just as a skilled writer uses various tools and techniques to tell a more compelling story I suggest that you choose a framework from each category to mature your program over time. This will help both you and your stakeholders make sense of the alphabet soup of cybersecurity frameworks that are available.

I have a good friend and trusted colleague, Jaynie Bunnell. When we worked together we would regularly bemoan the fact that we could not find meaningful security metrics. All we had were the metrics that came straight "out of the box" from various vendor products. You know what I'm talking about. The metrics that vendors claim can be used in your "executive dashboard" but are really just a pile of technical data. Things like number of firewall blocks, number of vulnerabilities discovered, number of systems scanned, and the like.

It's a problem. But, at this point in our saga, let's take a break and consider an entirely different question. What happens in 60 seconds on the Internet. What?! Don't worry. It will become apparent momentarily why we're talking about this.

Perhaps you've seen an image like the one below. The sheer volume of activity on the Internet is astonishing. I probably shouldn't be surprised though. I know for a fact that I contribute to those hours of video watched on Netflix. And I'm not ashamed to admit it!

Let's go back to our security metrics problem. I'd like to think that the conversations with my good friend spurred her on to come up with this next great idea but, in reality, it was all her doing. She took the pile of technical metrics we had and turned it into the following graphic. 

A Day in the Life of Cybersecurity

All of our "boring" metrics are listed here. It's what happens in 24 hours in cybersecurity at our company (we really didn't do that much in just 60 seconds so we had to choose 24 hours).

We didn't think much of it at the time but the image went viral within the company. About as "viral" as you can get in a large company. All of a sudden our CEO and CIO were talking about the cybersecurity team with the board and bragging to their colleagues, "Can you believe how much the security team does in just 24 hours?"

It was obvious that we hit on something meaningful when we saw the marketing team had taken the same graphic and called it "What Happens in 30 Days in Marketing". Thirty days...heh.

Take Credit for Your Work

We are so busy putting out fires and deploying new capabilities that we often forget to take credit for all the great work we do.

Don't bemoan what you don't have. Take that "boring" old pile of data that you already have and share it with others. It can wind up being a great marketing tool.

I once had a meeting with my CFO to talk about security. As you might expect my goal for the meeting was to start to get her buy-in on our security business case. Just a few minutes into the meeting she stopped me and said, “Frank, we get it. We know that cybersecurity is important.” I was beginning to feel that this meeting was going in the right direction. Then she said it. The dreaded “B” word. 

She continued, “BUT, what we want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’”

These are the questions that Boards and C-level executives are asking of their security leaders. How can you get ready to effectively answer these questions?

1) Choose a Framework

Select an industry recognized framework that will help you frame the work of your security program. Using a framework like the NIST Cybersecurity Framework helps simplify the complex world of security in a way that can be more easily consumed by business leaders.

2) Measure Your Maturity

It’s not enough to simply use a security framework. As you implement various controls make sure to baseline and measure maturity of your key security capabilities. That way you can show progress over time.

3) Benchmark Against Industry Peers

In an ideal world you might be tempted to achieve the “best” security possible. The reality though, as my CFO pointed out, is that the amount a business should invest is relative to its risk profile. As you improve your maturity identify how you are doing in relation to your industry peers as one point of comparison.

4) Set a Target

If you happen to be the on the high end of the maturity spectrum you may decide to compare yourself to another more mature industry as a stretch goal. Even if you stay within your industry for comparison purposes make sure to set a maturity goal for your security program that is based on a deep understanding of business risk.

5) Measure Your Effectiveness

Even with a framework, maturity model, benchmark, and goal in place there’s still one big question remaining. Are you utilizing your limited resources effectively? As you deploy, maintain, and operate your security program make sure you show that people, process, and technology are actually working as intended. 

In Summary

Don't let the dreaded “B” word derail your efforts. Do these five things and you just might be able to head off any objections at the pass.

Customers want to know if they can trust you with their sensitive data. Just as a hostage negotiator wants “proof of life” a potential customer wants evidence that your security claims are valid. As a startup or small and medium-sized business (SMB) what evidence can you offer to these prospects to make them comfortable with you as an organization?

Depending on the stage of growth of the company I advise clients to base their “proof of life” on three factors: cost, credibility, and comprehensiveness.

1) Cost

In the early days of a startup resources are scarce. Time is spent determining problem/solution fit, creating a Minimum Viable Product (MVP), finding product/market fit, and a host of other activities.

Assuming the product is successful an enterprise customer who wants to buy will typically send a long, detailed, and burdensome security survey with hundreds of questions to answer. To make matters worse, filling out this questionnaire usually falls on the most senior people at the company, taking up valuable time.

To handle these requests in a cost-effective manner I suggest creating your own security questionnaire with pre-filled responses to provide to customers. Strive to have this questionnaire handle at least 80% of security inquiries. That way you can focus on the 20% of customers that bring in the most business.

For those discerning customers that want additional information create a security whitepaper that goes into more detail about your security program, automated SecDevOps processes, and operational security activities. This is exactly what a number of leading vendors provide to boost customer confidence.

2) Credibility

As the company grows you can look to enhance your security credibility in other ways. Using an external security firm to conduct a penetration test provides assurance to prospects that experts are reviewing your application and systems. When sharing the pen test findings highlight not just the issues but also the process for addressing the discovered vulnerabilities. This is an important indicator of the maturity of your security processes.

Another sign of a maturing security program is the use of industry standard cybersecurity frameworks.  They help guide the work of the security program and simplify the complex world of security in a way that can be more easily understood by potential customers.

Choose one or more frameworks as the baseline for your security program and conduct a self-assessment. This not only helps you develop an initial roadmap but also serves as an indicator to customers that you’re on a reasonable security trajectory.

A good example of a self-assessment tool is the Cloud Security Alliance (CSA) STAR Self-Assessment for cloud providers. It provides a standard approach for documenting adherence to security best practices.

3) Comprehensiveness

Once the company is more established you need to adjust focus based on the demands of the business. A self-assessment alone might not be sufficient as customers expect more comprehensive evidence from third-party firms.

This usually means engaging a third-party audit firm to provide a certification such as SOC 2 or ISO 27001. Attaining these third-party certifications can be time, money, and resource intensive so the foundation you lay earlier in developing your program and conducting a self-assessment are extremely important.

Depending on your customer base you might need to attain other third-party certifications as well. For example, if you are providing services to the federal government then FEDRAMP certification might be necessary. Similarly, if you are serving the health care industry HITRUST certification can be important.

In Summary

Just as a hostage negotiator wants unmistakable evidence that the captive is alive, a potential customer wants to hear a straightforward story about your security program. Based on your business goals and strategy you need to support the organization by leveraging the right tools (e.g. security questionnaires, whitepapers, penetration tests, security frameworks, self-assessments, third-party certifications) to drive sales and marketing. The trick is providing the right balance of cost, credibility, and comprehensiveness to show sufficient “proof of life” at the appropriate time.

Thanks to David Cawley and Benjamin West for sharing ideas for this article.

I recently got the Azure Security Engineer AZ-500 certification and received a number of questions about exam preparation.

This was a tough exam not only because of the Azure knowledge that is required but the diversity of question types with case studies, building ordered lists, drag and drop, and completing commands.

Make sure to download the latest exam skills outline document. While preparing for the exam I noticed that the outline changed quite a bit and have now noticed it will be changing again very slightly.

You really need to know how to implement and execute the items mentioned in the outline. Hands on experience with Azure, the console, and the various services is extremely valuable. Fortunately, I was familiar with a number of items (but not all) from prior experience and other SANS courses.

For studying I read many pages of Microsoft Azure documentation which is fortunately very well written. I also found Microsoft's free online course to be extremely helpful. It has good overviews of the various topics with links for further study. I also took the AZ-500 class from A Cloud Guru.

Probably the most beneficial thing for me was taking a variety of practice exams. I found the official Microsoft practice exam to be the best. It has good examples of the types of questions that you'll encounter in the real exam. I also took the WhizLabs practice exams which were useful because they had additional types of questions. Make sure to read all the explanations to the practice exam questions even if you get the question correct. They really help with the thought process of eliminating the incorrect answers.

As I was taking the online courses and practice exams I spent a lot of time collecting various links to the Microsoft documentation and associating them with the topics on the exam skills outline. The process of researching and gathering information definitely helped solidify the material in my mind.

Hope this helps and good luck with your certifications!

P.S. Please share any study tips that have worked for you.