From the Desk of the vCISO: Using Security Frameworks to Build Your Cybersecurity Program
With the number of cyber threats increasing, companies need to ensure they have robust cybersecurity frameworks in place. However, finding the right program is often easier said than done in an increasingly complex cybersecurity landscape that’s filled with a myriad of tools and services—each promising to solve different pieces and parts of the security puzzle.
Instead of helping, many IT teams find themselves faced with analysis-paralysis—unsure of the best option and concerned about the impact of making a wrong decision. And that generally leads to the following two scenarios:
Nothing happens. IT pros are overwhelmed, causing some to throw up their hands in defeat. The reality, however, is that doing nothing is the worst possible path because it leaves organizations vulnerable to cyberattacks.
Point solutions are deployed on a threat-by-threat basis. IT pros take a reactive approach to cybersecurity—i.e., every time a new threat emerges, they purchase a new point solution. But rather than mitigate risk, this approach actually introduces it, because purchasing and implementing numerous point solutions results in isolated, complex and costly IT infrastructures that are difficult to manage and maintain.
Establishing a Security Foundation
The best approach, of course, is to establish a strong security posture from the start—a foundation upon which to build, based on stringent industry standards, with controls in place that you can measure, track and report on as part of an overall governance framework.
The right security framework serves as your blueprint for building a robust IT security program—and provides much-needed guidance to your team as you consider new tools and technologies.
There are many security frameworks available and in use—so where do you begin?
The first place to start is by looking at your industry. Are you required to follow an industry-specific security mandate? For instance, the Payment Card Industry Data Security Standard (PCI DSS) or the Health Information Trust Alliance (HITRUST) framework.
Additionally, I’d recommend looking at one of the commonly used security frameworks—each of which provides different levels of granularity and maturity that can either augment what you already have in place, or serve as your starting point. Consider the following:
- CIS Controls: CIS Controls are a set of guidelines that provide specific and actionable ways to protect your business from pervasive cyberattacks. These controls are a short list of high-priority defensive actions that provide a “do this first” starting point for businesses looking to improve their cybersecurity. I typically advise clients starting from ground zero to follow the CIS framework because it is a high-level security roadmap, providing easy-to-understand controls, best practices and advice. CIS Controls provide a solid security foundation for companies just getting started—with the ability to further mature your program as you check those cybersecurity boxes.
- NIST: NIST is a voluntary, flexible framework that aims to ensure critical infrastructure is secure. NIST’s framework does this by providing guidance, standards and best practices for protecting critical digital assets. The framework also provides a systematic methodology for managing cybersecurity risk, and it can be customized to complement your existing cybersecurity and risk management processes.
- ISO 27001: ISO 27001 has become a gold standard for security excellence. The goal of ISO 27001 is to provide a framework of policies for how a modern organization should manage its data. Risk management is a key part of this framework, ensuring that a company understands its security strengths and weaknesses. The ISO 27001 framework is broad and can be applied across a wide array of businesses, regardless of their size or industry.
Many Cybersecurity Frameworks to Choose From, One Goal
Though there are many security frameworks to choose from, they are all designed with the same goal in mind: to bring sense and order to what often feels like an overwhelming task. Choosing a framework is the first step toward building a governance-based cybersecurity program that produces measurable outcomes and mitigates business-specific risks.
As you embark on your cybersecurity journey, remember this: Security frameworks are a great foundation on which to build your cybersecurity program, but they aren’t a magic wand. To effectively protect your business against today’s sophisticated cyberthreat landscape, you must continually build upon and evolve your strong foundation with a multi-tiered security strategy that is proactive, risk-based and followed by everyone in your organization. Managed service providers like Navisite offer services to help you boost your security posture with ongoing threat protection. From assessing the current state of your security to providing ongoing and proactive managed security services, we deliver the security expertise and protection you need using the latest technologies and security controls to catch threats before they cause a disruption to your business.
Learn more about our security services
Aaron is the Chief Information Security Officer at Navisite and is responsible for security and compliance programs and the delivery of our managed security and advisory services to help customers implement and maintain the highest levels of cybersecurity protection and best practices. Aaron has more than 18 years of experience in the industry, holding various leadership and consulting roles in cloud security, infrastructure security and security operations.