Cybersecurity Frameworks: What Do the Experts Have to Say?
Cybersecurity frameworks are blueprints for security programs. Typically developed by governmental organizations, industry groups, or international bodies, they take the guesswork out of developing defense strategies, providing organizations with standards, guidelines, and best practices to help them manage and reduce their cybersecurity risks.
While cybersecurity frameworks such as the Center for Internet Security (CIS) Controls and the National Institute of Standards and Technology (NIST) are not mandatory, they complement required compliance policies and can help harden an organization’s cybersecurity defenses further.
However, it’s important to choose the right cybersecurity framework for your organization’s needs and implement it properly. So, we spoke to some experts to get their top tips for implementing a cybersecurity framework.
Choosing the Right Cybersecurity Framework
If you’re considering implementing a cybersecurity framework, you’re likely questioning which one to choose. This is the first and most crucial stage of your implementation journey.
The most crucial factor to consider when choosing a cybersecurity framework is your industry. Some frameworks are tailored to specific industries: for example, publicly traded companies often use the COBIT framework to ensure SOX compliance, while the HITRUST framework can help healthcare organizations improve their cybersecurity defenses. If you’re unsure which framework best suits your organization’s needs, Tom Huntington, VP of Technical Solutions at Fortra, suggests looking at what others in your industry are using.
Once you’ve established the best framework for your industry, you can look deeper into your organization’s specific needs. According to Donnie MacColl, Senior Director of Technical Support at Fortra, the best way to do this is to “talk with all departments and the executive teams to fully understand current and planned corporate strategy and external positioning and messaging, and from that outcome, determine and agree on the most suitable baseline framework as a starting point and other frameworks you plan to implement can complement and build upon.”
According to Leron Zinatullin, Board and Startup Advisor and CISO at Linkly, it’s important to remember that no one cybersecurity framework is a silver bullet, that they all have pros and cons, and that some organizations may need to utilize multiple frameworks. Ambler Jackson, Cybersecurity Engineer at Noblis, echoes this sentiment but notes that due to its “broad recognition and applicability,” NIST CSF 2.0 is a good jumping-off point for most organizations.
Should You Apply Multiple Cybersecurity Frameworks at Once?
We touched on this earlier, but you’ll need to apply more than one cybersecurity framework in some cases. But how do you know if this approach is right for your organization? Zoë Rose, SecOps Manager at Canon EMEA, suggests that unless your organization already has a mature cybersecurity program, you should start “with one that makes sense for your environment and needs. Then, when you feel you have made some good progress, you can look at how another framework may enhance guiding your team to further organizational resilience.”
Common Mistakes in Implementing Cybersecurity Frameworks
Once you have decided on your cybersecurity framework, you must implement it. Our experts have identified a few common framework implementation mistakes so you can avoid them.
The first mistake relates to attitude. Amar Singh, CEO of Cyber Management Alliance Limited, argues that too many organizations see cybersecurity frameworks as a tick-box exercise, something that will satisfy the bare minimum cybersecurity requirements. According to Singh, accomplishing only the bare minimum compromises the spirit of the framework.
Similarly, Angus Macrae, Head of Cybersecurity at the King’s Service Centre, suggests that believing that “following any particular framework, standard, or certification achieves some elusive, endgame, 100 percent security nirvana” is a critical mistake in framework implementation. He points out that “our adversaries and threat actors have access to exactly the same frameworks and associated deployment guidance,” meaning they can find workarounds.
As the adage goes, fail to prepare, prepare to fail. Chris Hudson, Professional Services Architect at Tripwire, says that the most common mistake he comes across is “not planning your approach to implementing the recommendations found by the assessment framework.” He argues that “getting assessment data is great, but having a short and long strategy that addresses the findings is key.”
Best Practices for Implementing a Cybersecurity Framework
Now that we’ve covered what to avoid when implementing a cybersecurity framework, we can look at some best practices. Chris Hudson suggests that organizations should celebrate achieving each part of their implementation plan, recognize the hard work of security and system owners, and demonstrate progress to the rest of the business. This will ensure that staff feel motivated and valued and the rest of the organization (particularly the board) recognizes the value of cybersecurity efforts.
Antonio Sanchez, Principal Evangelist at Fortra, suggests that organizations must tailor the framework to their specific needs and ensure they have a way to measure effectiveness.
Similarly, he argues that communication is essential for successful implementation. Sanchez argues that organizations should have a communication plan in place and engage with stakeholders according to their knowledge level. For example, communications to technical stakeholders can include jargon, while communications for business audiences will need to avoid technical language.
All in all, it’s clear that choosing and implementing a cybersecurity framework requires a methodical, measured, and well-thought-out approach. However, this is merely a snippet of the advice the experts offered. For more information, you can access the full guide here.