I recently met with a CIO who is a part of a 350-person insurance company. He had just had a NIST assessment completed but was frustrated because the review did not give him any practical information. There was no roadmap on how to execute, no action plan of how to solve the problem. Essentially it was a 40-page document that got plopped on his desk with 5 major macro recommendations that, in my opinion, were in the wrong order.
I continuously have CIOs asking for NIST assessments. And I always attempt to explain that none of the Frameworks will actually give you a deliverable of how to solve the gaps they uncover. This is a very important concept.
This is why I always recommend bolting on a Security Scoreboard that ranks recommendations of the major Frameworks (i.e. NIST, ISO, DoD, PCI, HIPPA) so that you can actually rank, prioritize, budget and integrate the recommendations. Because the most important piece is not the actual Framework, it’s what you do with the Framework. What action plan is going to give you the most results?
The best way to do this is by using the Old Italian Philosopher’s Idea called “Pareto’s Principle” which essentially means that 20% of anything produces 80% of the results, or better said in the security world that 20% of the recommendations produce 80% of the results.
To find out how the Security Scoreboard can help you rank, prioritize, budget and integrate the recommendations from your Framework assessment, contact a member of my team at RedZone at (410) 897-9494, or firstname.lastname@example.org.