As cybersecurity professionals, we are all trying to accomplish the same thing, aren’t we? Essentially, we aim to protect our information, systems, facilities, and people. Organizations may have different data, business objectives, and requirements, but the overarching goal remains the same. Enter the framework.
In the coming weeks and months, we will take a deeper dive into some of the more common frameworks to provide more insight on the value, applicability, and nuances of each. Let’s start with the basics.
To use the analogy of a building (an actual building or pretty much anything you build), a framework adds structure and support. Cybersecurity frameworks are a set of recommended practices that make your organization more resistant to attack and better able to respond if you are attacked (which most experts believe is inevitable). When you use a framework, you are leveraging the collective knowledge and experience from a variety of experts. If you are just starting your cyber program, why not take advantage of that knowledge and expertise? Why start from square one?
Does a framework guarantee you won’t be breached? Absolutely not – nothing does. So, why implement one? I’ll use the house analogy again. You may put locks on your doors and windows and install a home security system but that does not mean your house can’t be broken into—again, nothing does. Still, the locks should make it harder to break into; the security system should alert you when it has been broken into. A properly implemented security framework should make your organization more resistant to attack (harder to break into) and more resilient (more aware of an attack and better able to respond).
Given the common goal of security, you might be surprised at the number of frameworks out there. There are more frameworks than you can count on your fingers and toes. How many frameworks are there? I’ve listed 15 frameworks below, but it’s not a complete list. Are new frameworks on the horizon? I’d be shocked if there were not.
Fun fact, I asked ChatGPT to list the frameworks associated with the US Government and one of the frameworks it listed was PCI, which is not a government framework. It also missed a few that I was expecting it to list - specifically FISMA and C2M2.
Good question! There are some important differences in the frameworks and their applicability. To note just a few:
PCI, for example, may not apply to your organization at all if you don’t take payments via payment card. Even if you do and PCI does apply, PCI is specific about protecting credit card information in a good (though often tedious and time-consuming) way.
Some government frameworks vary the requirements based on the types of data to which an organization has access. Jokes about government bureaucracy aside, that makes sense. Not all data requires the same level of protection. Moreover, there’s a cost associated with implementing the highest levels of protection.
It’s understandable that organizations outside of the US may not feel the need to follow US standards (though some do seem to follow them).
Some frameworks are a different take on the same problem. The frameworks have a great deal of similarity and overlap among them, so it is sometimes a matter of preference. It reminds me of the third-party risk questionnaires many of us must complete for our clients. The questionnaires are different, and yet they’re all pretty much the same.
Some frameworks are adopted by organizations looking to improve their cyber security posture, while others are required by industry or government regulation. If you are just getting started, with the goal of improved cyber security, I would likely recommend one of the more simplistic frameworks (e.g. NIST CSF).
Stay tuned for more in the coming weeks and months. However, if you are not sure about how to approach implementing a framework or would just like to discuss, please feel free to reach out to us. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!