Well, I had mentioned, I rarely see frameworks that put identity at the core of security and really support identity defined security. The same applies to platforms being mixed with disciplines, like saying cloud security is different from IAM. See Getting down to the root cause of breaches and The Hype of "Zero Trust" and Getting Identity Right
Although I see the need to call out all the separate areas to ensure organizational structure, the squeaky wheel gets the oil. By not recognizing Identity for what it is, the organizational focus often shifts to the manager that wins mindshare. Historically, security has also been focused on reacting to incidents, vs proactively design and defence and many senior security executives come with this background and approach. For this reason, I tried to arrange the framework with pre-planning on the left and reaction on the right.
Security Framework
Things like endpoint protection, currently fall under reactive, vulnerability management and training and awareness under policy and standards. Risk, under-reporting and compliance.
So, comments, changes or omissions? What's your take?
No comments:
Post a Comment