July 10, 2019
Choosing Your Cybersecurity Framework: Tips and Gotchas

Even with the constant changes in cybersecurity, we are still fighting the same basic problems we had 20 years ago: viruses, users who click emails they shouldn’t, and systems that are not patched when they should be.

One difference that does exist today is that we have a variety of cybersecurity frameworks, informed by 20 years of fighting those same battles, that prepare us better to fend off these problems. For example, frameworks helped many companies build out effective vulnerability and patch management programs that helped them avoid the WannaCry outbreak using the patch that had been widely available for six months prior.

Frameworks basically ask questions about cybersecurity principles to help you see what you’re missing and determine what you need to do to build a strong program. They give you a place to start and a roadmap of where to go, helping you drive maturity; some are literally structured that way, from basic controls to medium and then advanced ones. They focus you in terms of priorities, actions and spend. They prepare you to respond when you have an issue (“if” is permanently off the table). They allow your business to securely do more. They give your clients confidence that their data is safe with your company. They help you strengthen your program, align it with the business and measure your success at protecting your environment.

Frameworks are sherpas up the Mt. Everest of security. If you have a framework, you don’t need to know everything. But, at the end of the day, they are only frameworks and must be used correctly.

Here are some tips and gotchas honed from 20-plus years on the job working with all major frameworks.

Determine the Best One for You

In the early 1990s, if you wanted to figure out what you should be doing with your cybersecurity program and how it stacked up against competitors, you had to compare notes with your peers. Today, a multitude of cybersecurity frameworks exist. Many are internationally known and offer certification; others are best practices used for reference; still others were created by government agencies.

Which is best for you? The annoying answer is: it depends. Here are some things you need to consider:

  • Your objectives. Your selection will be driven by what you want to achieve. Are you building a program? Are you ensuring you are meeting regulatory demands? Or are you reassuring clients that your current program is strong and their data is safe with you? Those intentions may lead you to different answers. (Maybe give an example as in the bullets below – is there one best for HIPAA in healthcare, for example, vs. one for banks or retail and PCI?)
  • Industry context. You will want to consider what frameworks are preferred in your industry, the regulations you need to comply with, what your clients are asking for or what your competitors are using. If you are in the auto industry, for example, you may prefer one of the ISO 27000 frameworks, which each have a specific focus, offer certification and are followed by many international companies. Or if your competitors are using a less stringent framework, maybe you could select a more stringent one and turn that into a competitive advantage.
  • Organizational alignment. You should take into account what the rest of your company is doing along similar lines. If your audit group is using COBIT, for example, that may make sense for you since it allows you to use the same language.
  • Your company’s maturity level. The main driver of your decision will be your maturity level. For example, if you are just starting out, you may want to use one that is not cumbersome, like the SANS CIS Top 20 to get the basics done, then move on to another more complex and meaty one.

When all is said and done, though, the thing that matters most is what works for you. All of the major frameworks have their pros and cons.

So after you’ve given it some thought and have undoubtedly identified several viable options…

Just Pick One

Don’t overthink it. Any framework is better than no framework. None are perfect, but all are pretty good. Start working it, and know you can make changes and improvement as you go.

Own It; Don’t Let It Own You

The framework is not the boss of you! It is there for your benefit; make it work for you. You can shape it to meet your specific needs and objectives.

Hybrids are OK, and in fact may be the best way to find the perfect solution for you. Take and combine the best of one or more frameworks, or use one for the most part but strengthen certain areas with aspects of other frameworks as needed.

Also, there’s nothing wrong with working one framework for a couple years to build the program, and then switching to another one to drive more maturity, or just to switch it up to get another perspective. There are no hard and fast rules, other than finding what works for you and your organization.

Pick a Good Partner for the Long-Term

Having a partner who can help you through the process and provide outside perspective is a good way to get the most value from the framework. Good partners can help you select a framework or determine the value of your current one, assess your environment honestly, build a roadmap, and help you scope, cost out and find the right people with the skills to execute the project.

When choosing a partner, consider not only their expertise with frameworks in general and yours in particular – i.e. if they have tools and accelerators for your framework built into their toolbox—but also if they can support your growth through the process more than just checking the box in a one-time engagement. Will they tell you the good, the bad and the ugly truth about where you are? Do they understand the importance of aligning with the business? Do they understand your vision or the business’s strategy for the future? Are they people you’d like to work with on an ongoing basis?

Remember It’s a Constant, Evolving Process

Obviously, this is a process, not a destination. That doesn’t mean you won’t make progress and hit different levels along the way. In fact, the framework makes seeing that progress easy, and measuring your improvement and success is the best way to stay motivated.

Don’t Pay More for Cloud Frameworks

Most frameworks have added controls around things like cloud, social and bring-your-own-devices that were not in the early versions. Also, new frameworks have emerged, around cloud for example, that somewhat paradoxically cost an arm and a leg although more limited in scope. The cost may not reflect the actual value, so consider that carefully before you invest heavily in a new but limited framework.

Get Executive Support and Business Buy-In

Align with the business to Help Them Do More, Securely

The only way to really succeed with implementing a framework approach is to align with the business. The goal is not to impact how someone does their job, but to help them do more and do it securely. It also helps them prepare to respond when cybersecurity issues arise.

Be Honest About Where You Are

If you need to start at the beginning and fill basic holes, so be it. The point is seeing exactly where you are and how you compare, and to make the best decisions from there to protect your business and then improve from there. Companies that aren’t looking truthfully at the state of their program and gloss over gaps or issues miss the opportunity to build the strongest possible foundation.

Don’t Try To Do Everything At Once

Many companies try to do it all at once, but the key is to pace yourself. You’re in it for the long haul. Pick it off in bite-size pieces. Figure out where the biggest problems are, what the top priorities for the company are, where the value is, and what low-hanging fruit with high impact you can do first. Then build a plan that is achievable, and set expectations for the business. If you burn your team or your business out early, you’ve lost the war and you’ve barely begun to fight.

Measure Success and Communicate It

The beauty of frameworks is they provide a real, actionable way to assess where you are and measure your success along the way. These real-world, quantifiable outcomes will satisfy the business that the effort is worth it and give you strong feedback on whether what you are doing is working. These ongoing successes and proof of progress is what will keep the momentum strong as you continue through this ongoing process.

About the Author
CBI, A Converge Company
CBI Cybersecurity
CBI, A Converge Company, is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...