This is the difference between thinking tactically and thinking strategically. If you are thinking tactically, your to-do list is endless. There is always one more control to install, one more security practice to implement. There is no way to prioritize the workload or to measure your improvement. Security practitioners sprint from task to task putting out fires, never taking the time to build a program that can absorb these kinds of tasks programmatically. To do that, you need to think strategically, and you need a framework to guide your actions by managing enterprise risk.
The federal government should work aggressively to implement the risk management construct initiated under Executive Order 13636 and reflected in the NIST Cybersecurity Framework. The leadership demonstrated by the government to collaborate with industry in developing the NIST Framework provides a strong foundation to manage cybersecurity risks to the federal government. The NIST Framework incorporates a lot of other frameworks and gives practitioners the ability to rate their programs across some 98 different tasks divided among five key areas:
1: Identify risk.
2: Protect against risk.
3: Detect attacks.
4: Respond to attacks.
5: Recover from attacks.
And, it allows you to assess your maturity level for each of the 98 tasks. We use it here at Palo Alto Networks as a way to focus our strategic thinking on how to manage security programmatically. By executing off a framework, you begin to build a strategic program where you can prioritize the tasks that take your organization to the next maturity level.