I’m presenting today in a 45 minute session. It’s a quick overview of previous topics, focused on the Ten Dimensions. The emphasis in this short presentation will be on defining what “performance” means and why managing performance in cyber security is not simply a matter of implementing a list of practices. Below are the slides and relevant blog posts.
Here is an Applicability Matrix I created that shows how the existing NIST CSF 1.1 applies to each of the Ten Dimensions. You’ll notice that there are only a few blue squares, which indicates that the Ten Dimensions is a different way of carving up the space. This has plusses and minuses, of course. In the blog posts on the Ten Dimensions, I explain and justify. You’ll also notice that some of the Ten Dimensions are poorly covered – 3. Effective Design & Development; 8. Effective Agility and Learning (incl… metrics); and 9. Optimize Total Cost of Risk.
|Applicability Matrix. Rows = 10 Dimensions. Columns = NIST CSF.|
Darker colors = more CSF items are applicable.
- NIST CSF to 10 Dimensions spreadsheet with Applicability Matrix
- Ten Dimensions of Cyber Security Performance (blog posts)
- How to aggregate ground-truth metrics into a performance index (blog post)
- Aggregating risk: Risk Management: Out with the Old, In with the New! (blog post)