In 2021, cybersecurity risk has become a prominent  concern for  businesses and governments around the world. The past year has shown that no amount of defensive technology can protect against malicious intent from a variety of adversaries including a new breed of attacker that leverages the financial resources of nation-states and the ingenuity of the world’s most advanced cyber criminals. These  attacks can cause millions of dollars’ worth of damage to companies by compromising valuable data and infrastructure, interrupting business operations, and damaging organizational reputation, sometimes irreparably.

In a rare televised appearance, Federal Reserve Chairman Jerome Powell emphasized the importance of understanding and preparing for cyber risks. The world evolves, though, and as such “the risks change as well,” Powell said. “And I would say that the risk that we keep our eyes on the most now is cyber risk.” The scenarios in this case involve “a large financial institution” losing the ability to “track payments that it’s making,” Powell said. “Where you would have a part of the financial system come to a halt, or perhaps even a broad part. And so, we spend so much time and energy and money guarding against these things. There are cyber-attacks every day on all major institutions now. That’s a big part of the threat picture in today’s world.”   As evidenced by Powell’s statement, it is becoming increasingly evident that the financial system is less concerned with liquidity issues (as we saw in 2008) than they are on the unrelenting and continuous risk of cyber attacks

While each year, the risks of cyber-attacks become more advanced and prevalent, researchers and analysts have actually been thinking about how to prevent these issues for more than 20 years. Cybersecurity frameworks, which help companies and governments establish and institutionalize intelligent processes to mitigate and manage  cyber risk, are an example of an emerging essential tool that helps organizations ensure a holistic approach to examining and improving their security programs and approaches.

This topic was explored during a recent webinar hosted by Axio. During the presentation, Axio Co-Founder and President David White and Seiso LLC GRC Consultant Richard Caralli spoke at length about the history of cybersecurity frameworks, navigating the landscape, and where to start when thinking about adopting a framework.

Below, we dive into the history of cybersecurity frameworks to better understand how they were developed and why they are still important today.

Why the Industry First Doubted the Framework Approach

Taking a step back, Caralli and White met working in the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Through a multi-year development and field-testing effort, Caralli, White, and a team of risk and resilience researchers developed a series of process improvement and maturity-focused models, culminating in the publication of the CERT Resilience Management Model. CERT-RMM is a process improvement model that uniquely viewed security as a process that could be defined, measured, and improved.  It expanded the definition of security as the convergence of many disciplines, including not only security, but security’s cohorts—IT operations and business continuity.  The spark for CERT-RMM began in the early 2000’s from groundbreaking work Caralli did in re-framing security as a business process with the same goals as all business processes:  to contribute to achieving the organization’s mission in the most efficient and effective way.

Published initially in 2011, CERT-RMM was an achievement that might never have been as the shift in mindset from a technical focus to a business and process focus was slow to take hold.  Ironically, 20 years later, this is the most advocated approach to security in use by organizations today.  Initial reservations around the maturity model orientation of CERT-RMM were founded in the belief that organizations would make declarations of being “secure” because they achieved higher levels of maturity as defined by the model.  In fact, this notion was counter to the entire fabric of CERT-RMM:  that security is a continuous process that never ends and must be constantly improved.  In the face of criticism, the team pressed on, and today with the advent of CMMC (which derives a considerable amount of content from CERT-RMM), the Department of Defense has embraced the security maturity concept in the same way it did when maturity concepts were introduced for software development process improvement.  “It’s interesting to go back to 2001 to when we had a lot of naysayers in the organization that said not only couldn’t this be done, but it shouldn’t be done,” Caralli said. ”But, that’s the research game—stick with your hypothesis, refine and field test, and observe transformations, and measure value.  Today, it’s easy to see the value was there all along.”

The Purpose Behind the Framework

Throughout their time at SEI, Caralli and White understood that developing the CERT-RMM framework was much than a checklist or playbook for companies  to build better security. The goal was much more thorough, and they wanted to create a cultural shift of sorts among technical and process practitioners, as well as to break down the organizational silos that kept security, IT operations, and business continuity from synergistic outcomes. To achieve success, companies needed to continuously revamp all of their processes to improve the management of operational stress.

“I think it took us ten years to convince them, but the real point was that we were defining a continuous process that traverses the organization and never ends,” Caralli said. “We wanted to find ways to get past the typical one and done propensity of many frameworks. We wanted the processes to stick, and we wanted them to become part of the culture. We wanted to inculcate them. And what is a culture after all? It’s a way of doing things. It’s a system of common beliefs and practices, and norms. It has staying power.  That was our goal.”

Developing Security as a Process

One of the biggest things Caralli and White had to think through when trying to make the CERT-RMM framework stick was pushing the idea that security needed to be a process. They were dismayed that the security practices that were common with organizations were ad hoc, poorly defined, and inconsistently adopted. So, they looked to the world they knew for inspiration — software engineering.

One framework that had worked exceptionally well in the software engineering world was the Capability Maturity Model Integration (CMMI), which was launched in 2002 as the successor to the much older CMM. While the core principles of CMMI were translatable, Caralli and White struggled to find a similar metric to define success as was available in the software engineering world: defect reduction.  In CMMI, the reduction of software defects at higher levels of maturity was observable; in security, a relative analog was harder to find.

“We thought maybe [security] events would be an analog, but they’re problematic for a lot of reasons.  Maybe you could measure an observable reduction in events you have control over, but the nature of security threats is that you often don’t know about them until they happen.,” Caralli said. “So we looked to the process improvement and maturity concepts that were in CMMI, which are known as institutionalizing features, and we thought that might provide value at least in establishing and promoting the view of security as a continuous process.”

The decision to zero in on maturity concepts for the CERT RMM framework ended up working well, as it made processes more deliberate and gave them a clear beginning and an end.

“We knew that if we could define a process, we probably could apply all the process improvement concepts and build those in so that a process activity actually evolves over time,” Caralli said. “And if you think about security processes, they are more like manufacturing processes that have raw materials that go in, and they get transformed, and things come out.”

In some ways, Caralli and White were chasing the idea that “a process defined is a process improved” when building the CERT-RMM. Effectively, this means that creating a process that changes over time is much better than being married to a practice.

“Where practices often don’t have a core objective, processes usually have observable outcomes and artifacts,” Caralli said. “And so we brought all of that into CERT RMM.”

Why CERT Resilience Management Model Was Ahead of Its Time

Caralli, White, and their team at SEI released the CERT RMM in 2011, and it significantly changed the landscape for how companies and governments developed cybersecurity practices.

The CERT RMM has influenced other essential frameworks and models, including the 2012 Cybersecurity Capability Maturity Model (C2M2), the 2014 NIST Cybersecurity Framework (CSF), and the 2020 Cybersecurity Maturity Model Certification (CMMC). The CMMC, for example, is used by companies that want to work on federal contracts, making it incredibly important to the current business landscape.

“Not only does [CERT RMM] technology continue to hold up, but it’s being used in more recent frameworks,” Caralli said. “And so if you look at CMMC, for example, you’re going to see a lot of processes and practices and artifacts from CERT-RMM in there, and you’re also going to see a similar, if not exactly the same, adoption of the maturity concepts”

Learn More about Security Frameworks from Axio

If your organization is looking to improve cybersecurity protections or adopt a framework, Axio can help you assess your next steps. Users can perform free, lightweight single-user assessments for NIST CSF, C2M2, and Axio ransomware preparedness assessments. Additionally, subscribers can get much more with CMMC, CIS20, and other custom assessments. Try the free tool here.

Why the Industry First Doubted
the Framework Approach

Taking a step back, Caralli and White met working in the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Through a multi-year development and field-testing effort, Caralli, White, and a team of risk and resilience researchers developed a series of process improvement and maturity-focused models, culminating in the publication of the CERT Resilience Management Model. CERT-RMM is a process improvement model that uniquely viewed security as a process that could be defined, measured, and improved.  It expanded the definition of security as the convergence of many disciplines, including not only security, but security’s cohorts—IT operations and business continuity.  The spark for CERT-RMM began in the early 2000’s from groundbreaking work Caralli did in re-framing security as a business process with the same goals as all business processes:  to contribute to achieving the organization’s mission in the most efficient and effective way.

Published initially in 2011, CERT-RMM was an achievement that might never have been as the shift in mindset from a technical focus to a business and process focus was slow to take hold.  Ironically, 20 years later, this is the most advocated approach to security in use by organizations today.  Initial reservations around the maturity model orientation of CERT-RMM were founded in the belief that organizations would make declarations of being “secure” because they achieved higher levels of maturity as defined by the model.  In fact, this notion was counter to the entire fabric of CERT-RMM:  that security is a continuous process that never ends and must be constantly improved.  In the face of criticism, the team pressed on, and today with the advent of CMMC (which derives a considerable amount of content from CERT-RMM), the Department of Defense has embraced the security maturity concept in the same way it did when maturity concepts were introduced for software development process improvement.  “It’s interesting to go back to 2001 to when we had a lot of naysayers in the organization that said not only couldn’t this be done, but it shouldn’t be done,” Caralli said. ”But, that’s the research game—stick with your hypothesis, refine and field test, and observe transformations, and measure value.  Today, it’s easy to see the value was there all along.”

The Purpose Behind the Framework

Throughout their time at SEI, Caralli and White understood that developing the CERT-RMM framework was much than a checklist or playbook for companies  to build better security. The goal was much more thorough, and they wanted to create a cultural shift of sorts among technical and process practitioners, as well as to break down the organizational silos that kept security, IT operations, and business continuity from synergistic outcomes. To achieve success, companies needed to continuously revamp all of their processes to improve the management of operational stress.

“I think it took us ten years to convince them, but the real point was that we were defining a continuous process that traverses the organization and never ends,” Caralli said. “We wanted to find ways to get past the typical one and done propensity of many frameworks. We wanted the processes to stick, and we wanted them to become part of the culture. We wanted to inculcate them. And what is a culture after all? It’s a way of doing things. It’s a system of common beliefs and practices, and norms. It has staying power.  That was our goal.”

Developing Security as a Process

One of the biggest things Caralli and White had to think through when trying to make the CERT-RMM framework stick was pushing the idea that security needed to be a process. They were dismayed that the security practices that were common with organizations were ad hoc, poorly defined, and inconsistently adopted. So, they looked to the world they knew for inspiration — software engineering.

One framework that had worked exceptionally well in the software engineering world was the Capability Maturity Model Integration (CMMI), which was launched in 2002 as the successor to the much older CMM. While the core principles of CMMI were translatable, Caralli and White struggled to find a similar metric to define success as was available in the software engineering world: defect reduction.  In CMMI, the reduction of software defects at higher levels of maturity was observable; in security, a relative analog was harder to find.

“We thought maybe [security] events would be an analog, but they’re problematic for a lot of reasons.  Maybe you could measure an observable reduction in events you have control over, but the nature of security threats is that you often don’t know about them until they happen.,” Caralli said. “So we looked to the process improvement and maturity concepts that were in CMMI, which are known as institutionalizing features, and we thought that might provide value at least in establishing and promoting the view of security as a continuous process.”

The decision to zero in on maturity concepts for the CERT RMM framework ended up working well, as it made processes more deliberate and gave them a clear beginning and an end.

“We knew that if we could define a process, we probably could apply all the process improvement concepts and build those in so that a process activity actually evolves over time,” Caralli said. “And if you think about security processes, they are more like manufacturing processes that have raw materials that go in, and they get transformed, and things come out.”

In some ways, Caralli and White were chasing the idea that “a process defined is a process improved” when building the CERT-RMM. Effectively, this means that creating a process that changes over time is much better than being married to a practice.

“Where practices often don’t have a core objective, processes usually have observable outcomes and artifacts,” Caralli said. “And so we brought all of that into CERT RMM.”

Why CERT Resilience Management
Model Was Ahead of Its Time

Caralli, White, and their team at SEI released the CERT RMM in 2011, and it significantly changed the landscape for how companies and governments developed cybersecurity practices.

The CERT RMM has influenced other essential frameworks and models, including the 2012 Cybersecurity Capability Maturity Model (C2M2), the 2014 NIST Cybersecurity Framework (CSF), and the 2020 Cybersecurity Maturity Model Certification (CMMC). The CMMC, for example, is used by companies that want to work on federal contracts, making it incredibly important to the current business landscape.

“Not only does [CERT RMM] technology continue to hold up, but it’s being used in more recent frameworks,” Caralli said. “And so if you look at CMMC, for example, you’re going to see a lot of processes and practices and artifacts from CERT-RMM in there, and you’re also going to see a similar, if not exactly the same, adoption of the maturity concepts”

Learn More about Security Frameworks

If your organization is looking to improve cybersecurity protections or adopt a framework, Axio can help you assess your next steps. Users can perform free, lightweight single-user assessments for NIST CSF, C2M2, and Axio ransomware preparedness assessments. Additionally, subscribers can get much more with CMMC, CIS20, and other custom assessments. Try the free tool here.