This article was originally published by CI Security. To read the original posting of this article, click here.
Selecting a standardized framework is a critical step that every organization must eventually take to mature their cybersecurity program.
At a recent meeting with a customer of a medium-sized business, I encountered a security position that I have seen many times before: a small IT team tasked with managing both security and production, a limited budget, and an increasing concern about risks. With no formal InfoSec plan in place, the customer was looking for guidance on how to get more serious about cybersecurity and find ways to communicate needs to management.
To accelerate their intent to make progress on their security journey, let’s explore the options available and reasons why it’s necessary to implement a standardized cybersecurity framework.
Avoid Negative Outcomes with a Cybersecurity Framework
Packaged simply, “cybersecurity” events can be fairly categorized as having three negative outcomes:
- Unauthorized records disclosure
- Disruption of service
The challenge for the medium-sized business is reducing the likelihood and managing the potential impact of these outcomes. When organizations consider the outcomes they want to avoid, it becomes clear what priorities need to happen based on fiduciary impacts. Rather than starting from scratch to identify the steps to take, organizations like the one mentioned above are better off using one of the well-established cybersecurity standards and frameworks.
In my experience there are a few common business drivers for security. The following three drivers are the ones I see most commonly used by companies to select their framework:
- Compliance requirements: These include regulatory requirements such as HIPAA/DFARS/Sarbanes-Oxley, and industry requirements such as PCI-DSS.
- Customer expectations: To satisfy security queries that are today routinely made business-to-business, customer demand may drive compliance with standards like ISO 27001, SOC2, HITRUST.
- Risk management: Managing risk helps the overall goal of improving security to avoid the outcomes listed above.
The customer with whom I was speaking was trying to do #3 – good risk management. For teams that fall into that category, deciding which framework to follow can be confusing. There are many options and no mandate to follow any specific one of them. There is always an inverse relationship between security and convenience – not to mention budgetary restrictions – so it is important to decide on reasonable and actionable controls.
Customize Your Chosen Framework
There are a variety of frameworks available online for organizations to leverage for their cybersecurity programs. The most detailed framework is NIST 800-53, but anyone familiar with it can tell you it’s sure not convenient.
Instead, the NIST Cybersecurity Framework (CSF) is a good place to start. It is a functional model, classifying risk through the 5 phases of the NIST Lifecycle: Identify, Protect, Detect, Respond, Recover. NIST CSF is customizable and outcome-oriented, allowing the organization to determine how to best meet each outcome without being prescriptive about specific controls.
Another popular framework is COBIT, which takes a holistic business process-centric view of security, emphasizing stakeholders and roles that are organized into RACI teams (Responsible, Accountable, Consulted, Informed). The SANS Top 20 is another option providing concise controls based on current attack models, along with baseline configurations for hardening operating systems.
Regardless of the framework selected, medium-sized organizations have evolved their cybersecurity posture by going through the process of selecting and customizing a framework significantly.
Use the Framework to Assess Cybersecurity Risks
A best practice in selecting a cybersecurity standard is to speak with a consultant experienced with Focused Security Assessments, Risk Assessments, and Gap Analyses. This type of engagement baselines existing technical, management, and physical controls against the standard and provides corrective action as part of a report that can be shared with executives to demonstrate the status quo as well as goals toward an improved security posture. Even customers with strong technical controls in place often find the need to formalize written policies, align procedures with other departments, develop security awareness trainings, and other requirements that may fall outside of the typical IT workflow.
Additionally, the output of the gap analysis against a framework constitutes a “corrective action plan”. The results of the analysis and associated plan can then be used to service the increasing number of requests for security information by business partners, insurers, and third parties. In other words, assessing your organization against the NIST framework has an additional benefit of pulling together your “security papers”, which finance, health, and DIB (defense industrial base) are now required to collect, with organizations in all other sectors following suit.
Getting Budget with a Standardized Framework
A standardized framework will help your organization identify priorities, and areas that can de-prioritized. The framework can also be used to establish a foundation for getting budget for your initiatives. Using the context of the framework, industry standards can be used as benchmarks for budgetary requests. Risk management can be presented to the Board in a compelling way to establish common ground.
The customer I mentioned at the beginning of the article is still deciding on the next path of their security journey. Whichever standard they choose will be a more aware, organized, and (with some corrective action) better protected organization.
Need help with selecting a cybersecurity framework or standard? Our professional services team can help you identify the right framework for you, as well as provide critical customizations for your internal and external stakeholders.
About the Author: Steve Torino is a Information Security Expert and Cybersecurity Engineer based in Boston, MA. You can reach Steve on LinkedIn at https://www.linkedin.com/in/5t3v3/.