One of the primary issues we see when working with organizations in our LRS Education Services NIST Cybersecurity Framework training courses is answering the question, “But how do I actually DO this?” As students in these courses, or clients of our NIST Cybersecurity Framework Assessment Program, they want to know the real life process to get their cybersecurity where it needs to be.
Let me ask you an unrelated question. Do you have a favorite book? One you have probably read over and over. You may enjoy many books, but this is your number one favorite. Or perhaps there is one movie that still brings you gales of laughter, or keeps you on the edge of your seat, or brings you to happy tears, even after watching it time after time. There are a lot of good movies for you, a few great ones in your opinion, but there is one that you absolutely love the BEST!
Let me tell you, in any cybersecurity training, the absolute best for me is Module 8 in our NIST Cybersecurity Framework Practitioner course (which is part of our NIST Cybersecurity Framework Bootcamp training course).
I mean, you know, the Introduction module is good, can’t have a class without an intro. The Components of the NIST Cybersecurity Framework module reviews the main areas of the Framework, then smoothly goes into how we make decisions about where we need to be. It gets WAY into the CIS Controls (SO COOL!) along with other informative references such as ISO/IEC 27001 and NIST Special Publication 800-53 Rev. 5. Oh, did I mention it covers Supply Chain Risk Management. Yeah, that’s a good module.
Modules 4 is a can’t miss. It’s all about Real World Attacks. Seriously, what’s a better way to know how to protect your stuff than by seeing how other places failed to protect theirs. Learning from someone else’s mistakes is WAY better than making them yourself, agreed? Why’d they shut down that gas pipeline, or how in the world did Equifax lose your social security number? These are important questions to answer to protect your organization. Plus, talking about the exact tools and techniques attackers use as documented by MITRE can really help you see what you’re up against.
I don’t much care for Module 5: Defense in Depth and the NIST Cybersecurity Framework. Too boring. Just kidding, Module 5 rocks! Knowing how to secure my organization at every level? Yes, please! Seeing examples of vendor tools to do so? Another yes! Then learning how Security Operations Center (SOC) activities and Security Information and Event Management solutions work in relation to the NIST Cybersecurity Framework, ABSOLUTELY!
But then there is Module 6: Assessing Cybersecurity in the Subcategories. I feel a little guilty every time I teach that module. I feel like I’m cheating my boss just a bit. In that module I show you exactly what we do when we conduct cybersecurity assessments for our clients. We pull back the curtain on the whole process, even showing you our customized tool, and a sample timeline for a real cybersecurity assessment. Please, don’t tell my manager about Module 6, she might make me stop sharing our secrets. Let’s just keep Module 6 between us, ok?
If Module 6 is the cake, then Module 7 is the icing. One of the most fascinating things about Module 7, Creating a Written Information Security Program, is how many companies have never even heard of this critical security document. It’s got everything: policies, procedures, details about your cybersecurity related business controls, fencing, fighting, torture, revenge, giants (oh wait, those last five are from my favorite movie). But truth be told, when people learn what this document is and how very much it helps to know exactly where you are in ALL your cybersecurity related business controls, they get excited about the possibility of having all that information in a single, easy to find location.
Now we get to Module 8. This is the one. Modules 1-7 are all getting us ready for Module 8. Module 8 is titled A Practitioner’s Deep Dive into Creating or Improving a Cybersecurity Program. And oh, my friends, is it ever. If you take our NIST Cybersecurity Framework (NCSF) Foundation training course, you get a primer on the Seven Step Process to Create or Improve a Cybersecurity Program. That’s pretty much what you need if you want to learn the basics of the Framework and how it functions. But to really put the Framework into place in your organization, Module 8 from our Practitioner class (which is part of our NIST Cybersecurity Framework Bootcamp training course) is the key.
Module 8 breaks each of the steps of the Seven Step Process to Create or Improve a Cybersecurity Program down into their individual components, then breaks each component down into specific action steps. You know why I like this module so much? Because it takes cybersecurity, a famously complex and obscure concept, and makes it completely accessible. Module 8 covers psychology, interpersonal challenges, working with compliance, meeting the expectations of decision makers and other stakeholders, how to determine exactly what to do and in what order, and creating the team to make it all happen! Module 8 will allow you to walk away with your own framework, built upon the NIST Cybersecurity Framework, to get from where you are to where you need to be. Yeah, it’s my favorite for a reason.
Ok, before we close out, I should mention, there actually is a 9th module. It’s titled Continuous Cybersecurity Improvement. The reason this module exists is simple. Once you’ve done all the work to get your organization locked up tight and efficiently secured, you don’t want to lose your momentum. You don’t want to fall back to an unsecure state and get breached through some silly oversight. Module 9 provides the list of activities that are done regularly that keep you where you need to be.
Hmmm. Now that I think about it, maybe I like all the modules in our LRS NIST Cybersecurity Framework Bootcamp training course equally. No, probably not. But again, let’s just keep that our little secret.
-Troy Stoneking, Certified NIST Cybersecurity Framework Trainer and Cybersecurity Assessor