Building a highly effective information security program isn’t simple, especially for small and midsized organizations with limited resources. If you’ve decided to invest in improving your cybersecurity maturity, it can be challenging to figure out where to start.
A cybersecurity framework will provide a set of standards, guidelines, and benchmarks that can help you understand your current cybersecurity posture. It can also make it easier to prioritize initiatives so that you can accomplish your security and governance objectives, meet regulatory requirements and protect your customers’ data. Additionally, and perhaps most importantly, basing your program off a known framework gives it more legitimacy and credence, yielding more assurance to stakeholders such as customers, investors, management and your Board.
It’s a bit like framing a house as part of a construction project: a cybersecurity framework supports you in managing all the interlinking components that are integral to an InfoSec program. Following a framework doesn’t automatically make you secure, but it does provide you with a blueprint. When you adhere to a cybersecurity framework, you’ll know that you’ve covered all the fundamentals and considered all the essentials in order to strengthen your security posture.
Which cybersecurity framework should I choose?
There’s considerable overlap between most of the major industry standards and government-developed frameworks. Which one you select is less important than how well you implement and maintain it. What matters is follow-through: have its tenets been integrated into how you do business?
In most cases, the nature of your industry and customers’ requirements will dictate which one is best for your organization. If your company has a global reach, it may make sense to follow a framework that’s internationally known. If you’re a defense contractor in the United States, you’ll be required to meet the standards outlined in the Cybersecurity Maturity Model Certification (CMMC), which is based on the National Institute of Standards and Technology (NIST) Risk Management Framework.
All major cybersecurity frameworks incorporate a mix of technical, physical and administrative controls, and all outline preventative, detective and corrective capabilities that security programs should strive to cultivate.
Major cybersecurity frameworks
NIST Risk Management Framework
Outlined in Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, the NIST Risk Management Framework is a robust and comprehensive set of guidelines. Now in its fifth version, this framework incorporates hundreds of controls, including ones that were added to address recent attack trends like targeting third-party vendors and supply chains. NIST designed this framework to protect U.S. government agencies and the contractors that serve them, but it’s also been widely adopted within the private sector.
NIST also publishes the NIST Cybersecurity Framework (NIST CSF), which incorporates a smaller subset of the controls found in SP 800-53. It’s simpler to understand and adhere to than the full standard outlined in SP 800-53 but is less comprehensive than the Payment Card Industry Data Security Standard (PCI-DSS). This means it’s generally appropriate for use only by very small organizations that don’t process credit or debit card payments from their customers.
Published by the International Organization for Standardization, the ISO 27000-series was born out of the British standards and are popular worldwide. Though broad and inclusive, ISO 27002 outlines controls that comprise only a subset of what’s found in NIST 800-53.
Developed by the Center for Internet Security and the SANS Institute, this standard was initially called the “CIS Top 20,” but has been further simplified. Explicitly designed to provide a basic starting point for organizations that are just beginning to cultivate a more mature cybersecurity posture, the 18 CIS controls are pre-prioritized to help security programs understand what’s most important and where to start.
The quality of implementation is what matters most
Regardless of which framework you choose, it’s critical to undertake routine assessments to ensure that you’re continuing to adhere to it and continuing to improve your security posture over time. It’s not so much about attaining alignment on paper or passing audits, as it is about the organization embodying the objectives of the framework through behaviors and action.
Do you want to learn more about cybersecurity best practices? Check out our latest blog articles, or contact a member of our CISO advisory team to get personalized recommendations in a free consultation.