It’s been a busy week for me this week; my latest contribution to the Computer Weekly Security ThinkTank has been published:
and I’ve also completed my slides ready to lay down the law, or at least provide an opinion, on ten common cloud security misconceptions at Cloud Expo Europe on the 26th of February:
Blatant plugs aside, the release of the NIST Cybersecurity Framework (http://www.nist.gov/cyberframework/) earlier this week highlighted something that is obvious, but frequently overlooked: the importance of a common terminology. I always begin my articles and presentations with an attempt to establish a common understanding of the terms I’ll be using so as to try and avoid misunderstandings. I don’t necessarily expect everyone to agree with the definitions – that’s not important. What is important is that we all understand what I mean when I use those terms. Without such a common understanding it is difficult to avoid talking at cross-purposes or else leaving one or other party to a conversation disappointed when what is delivered as a result of that conversation differs from what they thought they were getting.
Establishing a common understanding is particularly critical in the security space where terms such as risk, threat, vulnerability and exploit get used, abused and intermingled. When you’re talking about security there’s no room for misunderstanding or a lack of clarity, clear communication is key to delivering solutions that align to an equally clearly expressed risk tolerance. All of which brings me back to the NIST Cybersecurity Framework. I may not necessarily agree with the Framework in terms of it’s terminology of Functions, Categories and Subcategories. I do however see the potential value that it offers with respect to setting a common understanding and acting as a mechanism to enable clear communication of security requirements.
Take a look and please use the comments to let us know what you think!