Second Renaissance supports CISO and Federal executive customers in the development of comprehensive cybersecurity program strategies, based on their organizations’ unique mission. When the mission needs do not require specific overarching frameworks, Second Renaissance recommends the use of the NIST Risk Management Framework (RMF) as the basis for a comprehensive cybersecurity program. The foundation for recommended strategic plans organizes activities into three tiers – governance, information flow, and environment of operation.

Governance elements are often overlooked but are necessary for a resilient organization. Second Renaissance works with clients to build a Risk Management Strategy that includes policy, investment strategy, and key performance indicators (also referred to as a dashboard). The strategy will outline risk tolerance within the organization, and key stakeholder roles across the organization. With a Risk Management Strategy articulated, the organization can focus on Tier 2 – Information Flow.

Information Flow, also referred to as Mission/Business Processes, is the middle tier of the strategy. In Information Flow, cybersecurity is woven into the flow of business within the organization – from Enterprise Architecture to development and operations practices, and even acquisitions. When this tier of the strategy is overlooked, cybersecurity operates as a stand-alone organization. A stand-alone cybersecurity organization can be tasked with securing the organization’s information but cannot effectively perform its duty.

Environment of Operation is most often referred to as the NIST RMF, though it is only a portion of the RMF designed for individual information systems. Within the third tier, Second Renaissance works with customers to prioritize activities and streamline processes, including methods for testing and documenting system security.