Leveraging frameworks (and standards) to assist you in evaluating cybersecurity maturity
This blog is part of Apex Digital Solution’s Best-In-Class Security series. In this blog series, we explore key topics in Developing and Implementing a Best-In-Class Security Strategy.
When it comes to building any successful strategy or program, one universal success factor is defining how your organization will track and measure success of that program. Without this key factor, it is impossible to determine what is working and what your next actions should be. Developing a best-in-class (cyber) security strategy is no different.
The first key step is understanding what we are going to measure ourselves against to better determine what success looks like. In cybersecurity, we most commonly use standards or frameworks to do this.
In the simplest of terms, a standard is a more rigidly defined practice of doing something versus a framework being a more flexible methodology or approach. In practical terms, standards often come in the form of specific expectations of settings, configurations, or systems that must be in-place to adhere to that particular standard. Frameworks identify key areas of concern that should be addressed but the frameworks themselves are generally not explicit in the details of how you achieve them (i.e., specific settings or configurations). These terms can, at times, be used interchangeably within the industry and some frameworks are more explicit.
Organizations should know or understand whether they have regulatory compliance requirements that might specifically define a standard that they must adhere to. For example, if you process or store credit card data, you most likely must adhere to Payment Card Industry (PCI) Data Security Standard (DSS). Knowing or understanding what standards you may be subject to adhere to is critical.
Organizations often must comply with a mixture of state, national, or industry-specific regulatory or legal (and/or privacy) requirements. This challenge is considerable for any organization, but especially those that may trade globally. For this reason, many organizations do not select just a single framework or standard, but inevitably combine multiple standards and frameworks to achieve their goals. There are many different frameworks and standards, but here are some of the most common cybersecurity frameworks and standards used globally:
- International Organization for Standardization – ISO 27001
- National Institute of Standards and Technology – NIST Cybersecurity Framework
- Center for Internet Security (CIS) – Critical Security Controls (CSC) Top 20
- Payment Card Industry Data Security Standard – PCI DSS
There is no right or wrong decision in terms of selecting a framework and/or standard – except when your organization has specific legal or regulatory obligation.
In most cases, selection can and should be based on what best suits your needs or even what might be realistic for you to implement given your organization’s resources (or lack of resources). Often times organizations can become quickly overwhelmed by the sheer size or complexity of some of the frameworks or standards. It is recommended to break the implementation down into manageable phases to achieve over time.
For example, ISO27001 is considered one of the “gold standards”; however, it is also more complex to achieve and maintain for many organizations. Comparatively, NIST’s Cybersecurity Framework has also become one of the most popular frameworks, in part due to how it attempts to reduce complexity. NIST has defined “functions” which organize basic cybersecurity activities at their highest level: identify, protect, detect, respond, and recover.
Alternatively, Center for Internet Security (CIS) has long developed and improved upon their Top 20 Critical Security Controls to help organizations better defend against known attacks. The CIS framework is unique as it is more prescriptive and actionable by defining specific controls across an organization to be implemented.
Again, there is no right or wrong answer. It is best to review each of the frameworks and assess them against the resources and skillsets you have internally to ensure an appropriate match. Void of legal or regulatory obligation, CIS Top 20 can be an extremely valuable place to start for any organization due to the balance between the relative simplicity and the more prescriptive nature that will help call out specific controls that should be implemented to improve your maturity and overall security posture.
Once you have selected a framework it is time for the fun part – assessment! The next blog in the Best-In-Class series (“Mind the Gap!”) will cover the topic of understanding your current maturity versus your target operational and capability maturity. From there we can easily identify, prioritize, and address the gaps to continue our security journey while we sleep happily at night.
Developing and implementing a best-in-class cyber security strategy takes time, focus and resources. Cybersecurity is a journey, not a destination — there are no shortcuts.
View the Webinar: Senior Security Advisor, Sean Blenkhorn, and Apex Digital Solutions CEO, Jason Lambiris, in the first of our “Best-in-Class Series” webinars, provide a look at the key steps in developing a cybersecurity strategy and how to measure, monitor, and mature your strategy over time.