CSF 1.1 and 2.0 with Geoff Hancock

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Geoff Hancock, Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology.  He’s also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group.  Yup!  Another well-established guest.  But wait!  There’s more!  Geoff has been involved in the creation and maintenance of the NIST CSF – the cybersecurity framework whose current version (1.1) dictates more security programs on Planet Earth than any other framework, and whose new version (2.0) will soon be ratified and finalized.  2.0 DRAFT and request for comments have already come out and the comments period is now closed.  I asked Geoff to join us here at the ‘Ranch to talk CSF 2.0 with us:

1. Tell us about your history and relationship with NIST CSF
2. Let’s talk briefly about the role of frameworks in cybersecurity.  I’m thinking of the “compliance != security” mantra here.
3. 0 vs 1.1 – what are the highlights?
   1. GV (Govern) Function added
   2. Implementation Examples (Long overdue IMHO!)
   3. What else?
4. Changes to categories – 2 less overall, but other changes as well…
5. I was glad to see supply chain called out in specific.  That was overdue.  What else was overdue?
6. What should have been in there that is not?
7. Describe the process if you would for generating a CSF – we have already seen draft and call for public feedback.  What’s next?

Y'all be good now!