CCC SteerCo Formation Discussion #146
Comments
|
Steerco Structure
CC – Provided introduction and topics to be discussed: RO – I like decision making bodies to be tight. Too many? Too many different opinions. That is why I’m not a fan of the unlimited. I looked at the Information Security Office organization (ISO) and how they run their operation. Fairly tight is typically how it’s ran, with appointed experts. Ideally, two membership types – standard body and observers. It’s sort of how we’re running it now. Anyone can observe. Steerco members talk and vote. To MLs point. We’re creating an industry standard that the regulators will get behind. It needs to be financial services. What is the problem? We need more financial services people involved in the standard itself more involved with the creation of the standard itself. Focus on FSI being on the steerco is critical. Otherwise, regulators won’t take it seriously and neither will the CSPs ML – Just wanted to say EK updated the PR to narrow it – “Create a charter and assign members to the top level must be from the most active CCC participants and from financial services institutions” RO – That works. I like it. If we’re the only active FSI’s then it’s a Citi Standard. It’s not industry wide. So that’s key, attracting those other FSIs. The aim of the steerco is effectively a standards body. We need to codify what that means. It’s setting the objectives. It’s voting on significant changes in strategy. Example: Today we’re primarily focused on, in order, creating a taxonomy, creating a threat catalogue with MITRE, and threat mitigations with OSCAL. If there was a change to that, that would be a steerco decision. Making sure those 3 working groups, and the leads understand what they’re doing RO: AH – The OSFF in NYC. There’re videos online. So, one reason we thought it might be a necessity. Google and BMO did a talk explaining what CCC is. There were questions from audience, around things like is this continuous monitoring framework? They said yes and it’s not, it may come later. The steerco is about keeping us on the arrow. Those 3 things we’re focusing on right. AH – I think the steering group voting should be FSI. I think saying active is dangerous. How do you say someone isn’t active. I would have a problem if they were all local US banks. There needs to be a mix. Create some more diversity but also from a regulatory point of view so we do not end up with some jurisdictions being represented and not others. RO – Agreed. We do not want this to be a Citi standard. it needs to be an industry standard ML – We have had banks be members and inactive the whole time RO: That is a key concern yes. I was trying to find the documentation around ISO and how they describe it. We use something similar. If you look at ISO technical committees. The technical committees are essentially experts in the field who are able to make empowered, but knowledge-based decisions for the development of the standard. So, the issue with having an inactive AH – If you have an inactive member on steering group I would assume, we’d actually talk about that. Are they in or out of CCC right? RO – Yes. Correct. Do you think it’s Worth taking a similar model out to technical oversight committee? Technical steering committee. AH – Yes, they have a Has two-year tenor. RO – It might be a year on that. Then there is a voting mechanism. We could say Board members have to nominate people to serve on steerco. B/c the board meets on a monthly basis. So, steerco and escalate issues to the board for being inactive. ML what do you think about that? ML – That board members nominate the steerco members? RO: Yes. So, the steerco can escalate to the board of people not participating. Being inactive ML – Sounds like a decent idea. AH – Who is on the board? Not individuals but representation? Like is it FSIs? RO - All platinum members they all have a seat on the board. Gold members have 5 seats on the board. Silver has one or something like that. FSI are at the top. A decent amount of buy and sell sites. Blackrock for example. Good representation there. AH – That sounds like a good approach – The board can nominate steerco members. And those people have a one-year tenure RO: Then the steerco can escalate to the board for inactivity. ML – The other one then, it will be 7 members, right? We are supposed to be finite. The other option was that it was open. Most people want finite. Is 7, okay? If it is finite, it has to have a number RO – I am in favor of smaller ones. I am wondering then. Whether steerco members could be made up of the workstream leads, 2 leads per workstream, plus 2 or 3 appointed by the board. Because you will always have the experts active. Plus, that guidance piece from providing board direction. I talked myself out of it though. AH – How do the steering group get an update from the WG? Are we asking one of the WG leads reports back on a regular basis? How do the steering group know what to discuss? RO: In theory ultimately a program management of work should have outcomes we expect to achieve. Steerco really is all about on a quarterly basis are we not quite sure about something and are we all track. It is not a big task. AH – I think you are right, for workstream leads an extra commitment for them. If they choose to participate, they can do that. If they want to surface something to the steerco, they can do that through having a quarterly agenda. EK – Could you catch me up a little bit? CC – Provided recap RO: And to add that essentially the board would appoint members of the Steerco. Like the TSC has done. They nominate people. How do we address inactive member? A.) They need to be empowered, B.) They need to be experts, and C.) They need to be active. If they are not active, how do we fix that. EK: So, a couple of things, what are the three points again? – Active, empowered, expert? I want to make sure I address each one. EK: People are empowered by the charter. It should say what they should do and how. That is the authority. RO – They are empowered by their organization as well. That is a really key point. Not just a figurehead that no one pays any attention to. It has got to be adopted. EK: Now expert, it is a very specific term. In this case we need cyber security, the landscape experts, how all the different services work together, the architecture experts, and experts in regulation. The last piece we’ve been going in circles with, the governance, expertise related to organizing open-source communities. That’s an expert we need to have as well. The 3rd point is related to activity – My proposal is coming from the Kubernetes community from my time working with all these projects and communities. In the proposal, addressing the activity level is done through setting requirements for the role. This is what the role is, this is what you’re responsible for, this is what you need to do. Giving the steerco the ability to remove that person itself. Second thing is related to expertise – in the current proposal putting the steering co as the organizational experts. Not as governance, or cybersecurity experts. Not people getting partnerships. Because we should have a set group of ppl that need to be thinking about just the structure. What goals? What groups do we have etc. Non-technical stuff would roll up to them. They’d delegate everything else out. Cybersecurity issues? Delegate. When we need direction, we go to the steerco. The Steerco’s job is to empower and delegate other people to solve whatever problem may come. RO – That makes sense. The issue with that comes back to the requirement that the standard needs to have credibility to be accepted by regulators. I’m not sure the regulators would look at a standard which does not have a steerco made up of cybersecurity experts would have the right level of credibility. EK – Cybersecurity – I would propose steerco create community group that is the cybersecurity standard – These are the people that take care of this. Added to CCC repository. So, we have a group, and the steerco says this is what they’re empowered to do? They can veto this etc. ML: I do not think they need to be cloud architects or experts in being open-source community builders etc. RO: That’s effectively what we have om WG. Experts in taxonomy, experts in MITRE threats. It feels like a lot overhead to be creating a bunch a different group. CC to set up follow up discussion for 3.22.24 |
No description provided.
The text was updated successfully, but these errors were encountered: