NIST just recently releases it proposed 2016 Cybersecurity Framework and it is telling in many useful ways, but NOT in the ways that you would imagine. We often write about methodology and process. Why? Because they are an integral part of any HIPAA Compliance Initiative ("HCI"). However, we NEVER advocate methodology and process as if they were some kind religious practice only to be understood by those in the priesthood. We have had religious practices dominate American consultancies for decades now (i.e. does anyone remember the "re-engineering craze?"). Now to be clear, there's LOTS to like about the concept of re-engineering...we simply believe that you should do more of it and talk/study less about it.
Whoa, BUT that kind of approach was NOT how the Big Six consultants (Big whatever now) monetized their clients. NO, what was required was religion. A formalized process regarding how "everything in sight" was going to be re-engineered, with corporate America spending billions to worship at the alter. Now if re-engineering was a one-off then there would be nothing much to write about. Far from it: (1) Data Warehousing; (2) Client Server; (3) Graphical Users Interfaces; (4) SAP; (5) Object Oriented Programming; (6) the Cloud and countless others religions have been adopted and similarly yielded dubious results (i.e for those that "drank the Kool-aide" and invested the billions).
That's not to say that each and every one of the technologies have not been disruptive and have had overwhelming successful within certain contexts. They have. They simply have NOT been panaceas...but they were almost always marketed as such. Now here come the Cybersecurity Frameworks: (1) HITRUST; (2) ISO 27000 (or pick your number); and (3) NIST. The following diagram comes from the NIST Framework and purports to explain how your Risk Management Framework should be implemented:
No one, not even the large organizations, have time for this formalistic approach anymore. You could spend a year developing and implementing this Framework throughout your organization. The world is moving much too fast for this sort of nonsense. It is the antithesis of fail fast. Compare this to our approach with Expresso. With Expresso you can perform a Risk Assessment in three hours our less. How? Because we help you identify (quickly) all 29 Security Controls that you need to implement in order to be in compliance with the Security Rule. We then provide you products that mitigate the Risks associated with not having those controls in place. It's a completely heuristic based approach that allows you to get results fast while at the same learning more about the product you are attempting to solve than a year's worth of committee meetings!
We are all for frameworks BUT they need to be lightweight!