Considering Cybersecurity and why a Framework Matters

Posted on 4 mins read

Research

In a domain with significant uncertainty and complexity such as cybersecurity a common approach taken by organisations initially is to ask where they stand compared to similar companies? Essentially are we ahead or behind expectations for an organisation like ours? This approach of determining norms and staying within the lane is a reasonable heuristic when entering a domain without subject matter experts within the organisation.

A useful way to determine this positioning is to consider how mature the organisation is across the key drivers of cybersecurity risk. Those being:

  • People: The behaviour and knowledge of the team
  • Processes: The nature of the work that the team undertakes (e.g. how complex or repeatable it is)
  • Systems: The tools and infrastructure in place that enables them to do this work

Where the risks relate to the ability to maintain the confidentiality, integrity and availability (CIA) of their information assets. In this analysis I’ve defined 3 levels of progression:

Level 1: Basic

This doesn’t mean no risk management but rather a lack of central control, formality or repeatability to solutions in place to address risks. More weighting is placed on good luck than good planning. There is also no consistent or managed effort to identify assets requiring protection which results in an inability to ensure all assets are protected appropriately with any degree of confidence both now and in the future.

Level 2: Improved

An authority has been identified within the organisation who has considered the assets and associated risks. Solutions may be in place that have been developed for the purpose if risk mitigation, but they may be specific to a team or function. They may also lack formality and oversight which results in variable outcomes.

Level 3: Best practice

This indicates that a formal risk management process has been followed to get to an optimal solution for a defined problem. The solution is documented and relevant processes are being followed for implementation and oversight. Also that the solutions in place are being reconsidered on a regular basis to allow for continuous improvement.

A Cybersecurity Framework

To get an organistion into best-practice range across the 3 key drivers of risk takes considerable effort and planning. An effective solution for most organisations is to follow a roadmap for that which provides a step by step pathway across the organisation which must be impacted by this for it to be successful.

Beyond the real risk mitigation of this exercise the principle benefit of using a recognised framework is the ability to demonstrate that through audit accreditation. By demonstrating to suppliers and customers that the organisation is a ‘safe pair of hands’ commercial success can be enabled.

Roadmap

Here is an overview of some popular frameworks

ISO/IEC 27001

  • Developed by: International Organization for Standardization (ISO) (Switzerland)
  • Approach:
    • Information Security Management System (ISMS)
    • Risk assessment and treatment
    • Security policies, controls, and audits
  • Use Case: Globally recognised certification, scope to implement policies appropriate to the organisation

NIST Cybersecurity Framework (NIST CSF)

  • Developed by: National Institute of Standards and Technology (NIST), USA
  • ** Approach:**
    • Identify – Understand cybersecurity risks to systems, assets, and data
    • Protect – Implement safeguards to mitigate risks
    • Detect – Monitor and identify cybersecurity events
    • Respond – Take action against detected cybersecurity incidents
    • Recover – Restore services and minimize impact post-incident
  • Use Case: Highly recognised in the USA

CIS Controls (Center for Internet Security Controls)

  • Developed by: Center for Internet Security (CIS).
  • Approach:
    • **Provides prioritized security controls to protect against cyber threats
    • **18 critical security controls (e.g., asset management, data protection, security monitoring)
  • Use Case: Practical guidance for IT teams to strengthen security
  • Developed by: ISACA (Information Systems Audit and Control Association)
  • Approach:
    • Framework for aligning IT security with business objectives
    • Risk management and compliance
  • Use Case: Suitable for enterprises managing IT governance alongside security

PCI DSS (Payment Card Industry Data Security Standard)

  • Developed by: PCI Security Standards Council.
  • Approach:
    • Encryption and secure handling of payment data.
    • Network security controls and access management.
    • Regular monitoring and testing of security systems.
  • Use Case: Mandatory for businesses handling payment card transactions.