Cybersecurity frameworks are quite similar to relationships—you get out of them what you put into them. To some extent, we have all waded into the waters of cybersecurity frameworks. However, unlike an anti-virus rollout, you can’t half-ass it.
These frameworks exist to guide the implementation and management of security controls within your organization, and when used properly they allow any security leader to more intelligently manage the cyber risk. Sticking with the “half-hearted” theme, you can’t take a haphazard approach to tackling information security in an organization—at any level.
Businesses are going through an ongoing technological transformation because of the rapid rise of and changes to cloud, analytics, mobile devices, and social media. These elements are creating a pressing need for increased formal guidance to better help organizations drive their cybersecurity programs more effectively. Security frameworks will help to prevent that half-hearted, “Mickey Mouse” approach in the organization’s security efforts that we see all too prevalently today. Looking ahead, those organizations that choose to avoid adopting a framework will find themselves in a competitive disadvantage.
Where do I start?
I am often asked by clients and other practitioners: What is the best security framework to use? There is definitely no shortage of options, and navigating those waters can leave even experienced security professionals shaking their heads in utter confusion. Starting with the optimal outcome and working backwards, we can confidently say that the “ideal framework” should provide a comprehensive guide to best practices while still leaving some wiggle room for interpretation, which allows organizations to customize their controls implementation to better fit their risk profile. Frameworks come in all shapes, sizes, and complexity, plus they vary based on the company’s industry. To a large extent, you will notice that among most frameworks there is quite a bit of overlap in security concepts.
Adopting a framework (or combing elements from multiple frameworks) is one of the most impactful security measures that can be enacted at an organization. The security/compliance benefits are obvious: Achieving compliance with contractual obligations, fewer security incidents (freeing up resources in the process), and improved maturity in security operations (managing security more effectively). Other benefits to the business include discounts for cyber insurance—which equals cost savings, and that makes the bean counters very happy!
It’s a long-haul program, not a project
For those seeking instant gratification, security frameworks are not for you; you should go chase some shiny object instead (may I suggest chasing the latest security marketing hype)! Implementing a framework (and reaping the many benefits) takes time. This is very much a continuous journey—this isn’t rolling out Office 365 and being able to call it a day a few months down the road. The journey of adopting a cybersecurity framework is very much like the much ballyhooed Road to Hana. (I am not referring to SAP Hana but the lovely Maui, Hawaii tourist attraction.) The trek to Hana takes travelers on beautifully long winding roads with absolutely breathtaking scenery; awe-inspiring waterfalls, utterly amazing cliff sides, mountains, and idyllic beaches. Oddly enough, the town of Hana is nothing special—there is one gas station and a few run-down buildings. The true beauty (and learning) is along the journey itself, not at the destination.
The most popular frameworks being adopted currently are ISO 27000 series, CIS SANS Top 20, NIST 800 series, and the NIST cybersecurity framework (CSF). It is clear from these figures that many organizations will adopt more than one framework—or at least aspects of different frameworks—as they travel down their individual paths towards better security controls implementation and management. Adopting one or more frameworks allows the organization to identify gaps and opportunities, and eventually learn what best suits the organization.
Which one should I choose?
To answer the question that I posed earlier—what is the best framework to use? —the best framework is the one you are fully able to adapt to your organization’s unique security needs. Frameworks are no different than building blueprints: Each is customized to meet the required specifications and intended use for the individual implementation.
The choice to use a particular (or combination of) cybersecurity framework(s) can be driven by multiple factors unique to your organization. Unlike choosing a friend or mate, there really is no wrong answer in choosing a framework (or frameworks). To paraphrase the song Freewill by Rush: the only wrong choice is in not making a choice.
Click here for more information on our InfoSec World Conference & Expo in Orlando.
About the author: Dominic Vogel is currently Chief Security Strategist at Cyber.SC, where he focuses his energy on helping start-ups and small/midsize businesses solve cyber security challenges. Dominic has a wide-range of experience overseeing numerous projects including security strategy development, policy development, endpoint security, and threat management in a multitude of industries. He will present “Creating a Relevant Cyber Security Governance Framework: Supporting Business Digital Transformation” at InfoSec World 2017.