Even with the constant changes in cybersecurity, we are still fighting the same basic problems we had 20 years ago: viruses, users who click emails they shouldn’t, and systems that are not patched when they should be.
One difference that does exist today is that we have a variety of cybersecurity frameworks, informed by 20 years of fighting those same battles, that prepare us better to fend off these problems. For example, frameworks helped many companies build out effective vulnerability and patch management programs that helped them avoid the WannaCry outbreak using the patch that had been widely available for six months prior.
Frameworks basically ask questions about cybersecurity principles to help you see what you’re missing and determine what you need to do to build a strong program. They give you a place to start and a roadmap of where to go, helping you drive maturity; some are literally structured that way, from basic controls to medium and then advanced ones. They focus you in terms of priorities, actions and spend. They prepare you to respond when you have an issue (“if” is permanently off the table). They allow your business to securely do more. They give your clients confidence that their data is safe with your company. They help you strengthen your program, align it with the business and measure your success at protecting your environment.
Frameworks are sherpas up the Mt. Everest of security. If you have a framework, you don’t need to know everything. But, at the end of the day, they are only frameworks and must be used correctly.
Here are some tips and gotchas honed from 20-plus years on the job working with all major frameworks.
In the early 1990s, if you wanted to figure out what you should be doing with your cybersecurity program and how it stacked up against competitors, you had to compare notes with your peers. Today, a multitude of cybersecurity frameworks exist. Many are internationally known and offer certification; others are best practices used for reference; still others were created by government agencies.
Which is best for you? The annoying answer is: it depends. Here are some things you need to consider:
When all is said and done, though, the thing that matters most is what works for you. All of the major frameworks have their pros and cons.
So after you’ve given it some thought and have undoubtedly identified several viable options…
Don’t overthink it. Any framework is better than no framework. None are perfect, but all are pretty good. Start working it, and know you can make changes and improvement as you go.
The framework is not the boss of you! It is there for your benefit; make it work for you. You can shape it to meet your specific needs and objectives.
Hybrids are OK, and in fact may be the best way to find the perfect solution for you. Take and combine the best of one or more frameworks, or use one for the most part but strengthen certain areas with aspects of other frameworks as needed.
Also, there’s nothing wrong with working one framework for a couple years to build the program, and then switching to another one to drive more maturity, or just to switch it up to get another perspective. There are no hard and fast rules, other than finding what works for you and your organization.
Having a partner who can help you through the process and provide outside perspective is a good way to get the most value from the framework. Good partners can help you select a framework or determine the value of your current one, assess your environment honestly, build a roadmap, and help you scope, cost out and find the right people with the skills to execute the project.
When choosing a partner, consider not only their expertise with frameworks in general and yours in particular – i.e. if they have tools and accelerators for your framework built into their toolbox—but also if they can support your growth through the process more than just checking the box in a one-time engagement. Will they tell you the good, the bad and the ugly truth about where you are? Do they understand the importance of aligning with the business? Do they understand your vision or the business’s strategy for the future? Are they people you’d like to work with on an ongoing basis?
Obviously, this is a process, not a destination. That doesn’t mean you won’t make progress and hit different levels along the way. In fact, the framework makes seeing that progress easy, and measuring your improvement and success is the best way to stay motivated.
Most frameworks have added controls around things like cloud, social and bring-your-own-devices that were not in the early versions. Also, new frameworks have emerged, around cloud for example, that somewhat paradoxically cost an arm and a leg although more limited in scope. The cost may not reflect the actual value, so consider that carefully before you invest heavily in a new but limited framework.
The only way to really succeed with implementing a framework approach is to align with the business. The goal is not to impact how someone does their job, but to help them do more and do it securely. It also helps them prepare to respond when cybersecurity issues arise.
If you need to start at the beginning and fill basic holes, so be it. The point is seeing exactly where you are and how you compare, and to make the best decisions from there to protect your business and then improve from there. Companies that aren’t looking truthfully at the state of their program and gloss over gaps or issues miss the opportunity to build the strongest possible foundation.
Many companies try to do it all at once, but the key is to pace yourself. You’re in it for the long haul. Pick it off in bite-size pieces. Figure out where the biggest problems are, what the top priorities for the company are, where the value is, and what low-hanging fruit with high impact you can do first. Then build a plan that is achievable, and set expectations for the business. If you burn your team or your business out early, you’ve lost the war and you’ve barely begun to fight.
The beauty of frameworks is they provide a real, actionable way to assess where you are and measure your success along the way. These real-world, quantifiable outcomes will satisfy the business that the effort is worth it and give you strong feedback on whether what you are doing is working. These ongoing successes and proof of progress is what will keep the momentum strong as you continue through this ongoing process.