Skip to content

WitchyPurpleSec/Simplified-Decision-Framework

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Simplified Decision Framework (SDF)

The purpose of the Simplified Decision Framework (SDF) is to assist Information Security (InfoSec), Information Technology (IT), and Governance, Risk, and Compliance (GRC) professionals in simplifying and expediting their decision-making capabilities. This practical framework narrows decision-making down to three (3) core concepts aimed at helping teams avoid analysis paralysis while maintaining alignment with risk appetite, organizational objectives, people capital, and governance requirements.

Simplified Decsion Framework Diagram - Clean]

Authored By: Stephanie Gass and Mathew Everman

Executive Summary

Across IT, InfoSec, and GRC fields, decision makers struggle to ensure their projects, processes, and deployments align to their organization’s requirements, capabilities, and needs. Key decision makers need to ensure they are aligning these complex choices with risk, governance, and people capital while supporting efforts to drive innovation and meet business needs. Making these key decisions often requires an element of agility and expedition as priorities shift in a modern business environment which can lead to non-conformance, deployment failure, and the introduction of unapproved organizational risk. It’s easy to become overwhelmed by daily tasks and fall into analysis paralysis or decision fatigue when tackling complex initiatives like selecting a SIEM, building an AI policy, or creating proactive security plans. This Simplified Decision Framework (SDF) aims to ensure alignment with the organization's needs while increasing the timeliness of decision-making.

The SDF is designed to be a practical tool built around three (3) core questions that will guide leaders through the core components of the decision-making process. What are your “crown jewels”, what governs you, and what people do you have? By identifying these three (3) key elements that we refer to as the big W’s and mapping how they are influenced by organizational risk, leaders can ensure their decisions and proposals align with acceptable risk profiles while supporting speed and innovation.

  1. What are your “crown jewels”?
  2. What governs you?
  3. What staff do you have?

The SDF is designed to be flexible and agile, allowing it to be tuned accordingly for large scale and day-to-day decisions. This documentation outlines the core components and concepts of the SDF. Each of the big W’s are outlined in detail, allowing practitioners to understand the relevance and importance of each of these core components. It also includes guidance for identifying and mapping organizational risks to the framework. Learning to adapt these simple, practical tools to your organization’s decision-making efforts and lifecycles enables Governance, IT, and InfoSec leaders to make effective, well aligned decisions.

What Are the Components of the SDF?

SSimplified Decsion Framework Diagram - Graphical Version]

What Are Your "Crown Jewels"?

Simplified Decsion Framework - Crown Jewels]

To start understanding your Crown Jewels, identify key revenue generating staff and services, review where key data for business operations are stored or managed, and review how your organization interacts with your customers. Essential to identifying Crown Jewels is the understanding that they can be both organizational and project specific in nature.

Organizational Crown Jewels are easily identified as tier 1, or business critical assets that keep the business going. Think of these as the items that would have the largest score on your business impact analysis or the critical items you would focus on first in your business continuity plan.

Project or decision specific Crown Jewels may cross over with organizational but may be scoped to include down or upstream assets and services like specific servers, data, or applications. Crown Jewels are a unique component in the SDF, as your Crown Jewels may also contain staff which may or may not be captured in your People section of the framework (e.g., VIPs).

Crown Jewels are the crux of your decision-making process and act as your key areas of focus (or in some cases avoidance). For example, coordinating an office relocation may create a technical and security risk for all employees during the time between offices. As a result, the whole staff becomes in scope as crown jewels through the conclusion of the project. Identifying the impact on Crown Jewels as a key element of decision making ensures your decisions and deployments enrich organizational workflows and objectives while avoiding pitfalls that could lead to disruption in organizational operations. An appropriate understanding and consideration of Crown Jewels helps you avoid decisions that could have budgeting, and trust impacts on business operations.

What Governs You?

Simplified Decsion Framework - Governance]

Governance is more than just the needs of a single department inside of an organization. Governance requirements come from multiple business units and functions within an organization. The governance principles, requirements, and frameworks used to guide the business should also guide day-to-day and long-term decision making. To start understanding what governs you, you need a firm understanding of any legal, industrial, or business requirements your organization is required to follow. Knowing the governance principles and using them to guide the decision-making process ensures your new program, project, or decision is optimally beneficial to the organization while avoiding pitfalls that could cause compliance, financial, or legal issues.

Governance may impact your decision-making in various ways. For example, identifying requirements outlined in your organizations' legal requirements, business agreements, or industry frameworks may outline restrictions preventing the usage of certain tools and services. Organizational policy may limit third parties to geographical locations which could restrict vendor selection pools. Use of AI may be strictly prohibited by client business agreements preventing its usage in various processes. Whether you are selecting software, testing the efficacy of a new process, modifying a policy, or planning a new company initiative, understanding the requisite governance components enables alignment with organizational standards, needs, and agreements. Failure to align to these requirements could lead to legal action (against yourself or the organization), introduce unacceptable risk, or cause reputational damage.

What People Do You Have (and What Are Their Skill Sets)?

Simplified Decsion Framework - People]

Understanding what access you have to appropriately trained staff, vendor resources, or contractors with skills related to your decision, process, or project guides the success of your decision-making. Aligning your People resources before, during, and post deployment or decision execution allows you to appropriately align your scope to your capabilities. This ensures resource availability to support both deployment and lifelong support for your decided upon process, project, or service. People are the driving force behind all organizational processes. They provide the effort that drives both innovation and revenue. The People section is also the only field in the SDF where documented resources may cross over to other sections. Personnel can be Crown Jewels (e.g., VIPs), but they can also be captured in the People category as a product, process, or project resource.

People drive projects to completion and keep them running, but they are also a key component if you are using the SDF to measure your capabilities for a new process. For example, if you are deploying a complex and costly application such as a Security Incident and Event Management (SIEM) application you need engineers, system analysts, network engineers, and system administrators. But during post deployment your needs change. You no longer have access to deployment engineers provided by the SIEM vendor and getting a return on investment requires tuning and response personnel like those found in a Security Operations Center (SOC). You may have team leads who receive training as part of the application onboarding that become valuable post deployment assets.

Staff and their skill sets may fluctuate over the course of a product’s lifecycle, or a project and the SDF allows you to capture this fluctuation in its simple diagram.

In other instances, the People section of the SDF may include impacted assets outside of your team or department. If your decision, process, or a project Crown Jewel requires support from or has substantial impact on other departments, teams, or customers, they should be captured within People to get a wholistic picture of your decisions impact. Understanding your People needs enhances alignment with personnel availability, budgeting, and scoping to optimize your chances for success while avoiding potential pitfalls that could damage your timelines or your personal reputation as an organizational decision maker.

The Role Of Risk

Simplified Decsion Framework - Risk]

Risk sits at the center of our SDF because it’s the core and driving factor for everything we do in Information Security and Technology. Our role is to innovate or assist with innovation by ensuring key members of our organization can do their work in a safe and compliant manner. Risk is often associated with the negative impacts cybersecurity or governance failures can have on an organization. But risk is not inherently negative, risk can also encompass the organization’s willingness to try something new or enact non-standard changes in an effort to generate revenue.

Pitfalls of Risk

Simplified Decsion Framework - Risk Pitfalls]

A key element when discussing risk is to remember organizational risk does not always equate to what cyber security or technology focused teams consider vulnerabilities. While bad actors, compromised equipment, and vulnerable software could all fall into the risk category, organizational risk covers so much more. Risks impact our organization’s ability to function, accomplish goals/missions, and generate revenue. In its simplest form, risk is anything that impacts the company’s income. Day to day technical teams focus on items like uptime and management of vulnerabilities. These are important components of risk but additional items may include business and legal requirements.

Our role within the organization is when we make a decision, deploy new hardware/software, or build a new process it operates within the acceptable risk and guidelines laid out by governance requirements and mandates. Additionally, business factors can impact what the organization outlines as an acceptable risk.

Leadership teams and organizational boards may generate risk appetite or tolerance statements designed to inform employees what risks are acceptable in the course of their duties. These risk statements and tolerance may encompass risks to specific data, tools, intellectual property, or the organization’s reputation. An organization's willingness to accept or avoid certain types of risk has major implications on the products, processes, and services used by that organization. Risk impacts and/or drives components of each of the three (3) W’s and understanding its impact on decision-making is key to a successful decision process.

Types of Decisions

Use cases for this framework extends beyond the obvious “decisions” we face as security professionals. The most direct use cases are simple software or hardware selections. The SDF is designed to encompass not only those procurement and deployment decisions but extend to capability assessments, use case assessment, creating policies, threat profiling, intelligence mapping, process creation, and even program creation.

How To Use the SDF

The SDF is designed to be a simple, three-part, alignment tool to assist in the decision-making process. It gives users an easy way to document and visualize what requirements may have an impact on their current decision. By leveraging the big W’s to easily identify key points of alignment, the framework sets practitioners up for success.

  1. What are your “crown jewels”?
  2. What governs you?
  3. What people do you have? (What are their skillsets?)

In its simplest form you can leverage the SDF by drawing a circle (or leverage the template available here), splitting it into 3 sections, and writing down the key components for each of the big W’s in the corresponding section as they relate to the decision at hand. Risk is a factor in each of these three categories, as outlined above, and can either be captured as a central circle, footnote, or implied as a component in each of the three (3) W sections represented in the circle.

Simplified Decsion Framework Diagram - Clean]

Once users have identified their big W’s, and the relevant risk impact, the components of their decision can be analyzed. The results of the SDF are designed to help users gain a foundational, organization-focused guide to help them navigate the complexities of modern decision-making. This simple process has the added benefit of helping you identify unknowns related to your decisions. When assessing the entries in each of the big W categories, missing data can be easily identified allowing framework practitioners to recognize opportunities for collaboration or outreach with other business units to fill in knowledge gaps. In some cases, the SDF results become the fastest path to ‘no’, allowing framework users to quickly determine a product, process, or service that does not meet organizational needs or requirements. Analyzing the results of an SDF diagram could lead to various outcomes, all of which are heavily dependent on the type of decision being assessed. Examples include:

  • Narrowing down the selection of a managed service provider based on access to well-trained People resources.
  • Re-evaluating a customer initiative based on misidentified or misrepresented crown jewels.
  • Halting work on a software proof of concept due to misalignment to organizational requirements.
  • Meeting with the Legal team to discuss contractual obligations on goods and services impacted back your decision after identifying a knowledge gap.
  • Changing a cloud hosting service that stores data in locales restricted by your governance policies.
  • Hiring additional security to compensate for lack of internal staff coverage as part of work on a threat profile.
  • Tuning a new organizational governance standard for better alignment with identified crown jewels.

Documenting or visualizing the key components of the decision-making process that capture core business needs, required people capital, and compliance requirements allows for quick, fact based, alignment during planning sessions, meetings, or brainstorming. The SDF is designed to be versatile and highly customizable. Framework users can change components or document in a way that works best for them (e.g., using a simple three column text design instead of a circle). As your process matures, users may choose to start formalizing use of the framework as a requirement for company initiatives. Standardizing the SDF and building it as a requirement in cross functional business processes allows for less friction and faster organization level decision-making.

You can find additional examples in our slide deck found here.

Resources

You can find downloadable, full size, “fill in ready” versions of the SDF here. Additionally, if you’d like full size versions of the commissioned artwork above that represent the big W’s you can find those here. You can also review the slide deck from our formal announcement and release of the framework here.

Versions

Version 1.1

  • Added contents of our slide deck from our RSA presentation (RSA Theme removed).

Version 1.0

  • Released March 23rd 2026
  • Formal release announcement during the 2026 RSA Conference by Stephanie Gass and Mathew Everman.

Releases

No releases published

Packages

 
 
 

Contributors