I had a little back and forth with rybolov in the comments on my military post, and he introduced me to something called the Business Reference Model right out of some government publications and NIST 800-60.

Kicking ass, as only a Guerilla CISO can, he responded with two great blog posts showing how we can steal from this model and adapt it to the enterprise world. On the surface (haven’t had time to dig in yet) it looks like an interesting way to help align business priorities, data classification, and security priorities. While I’m not a fan of complex models, I’m a big fan of anything that can help bridge the language divide between the business and IT.

Check out his posts here and here.