Health care has HIPAA. Credit card merchants have PCI. But if you’re not part of these compliance-heavy industries, how can you know your cybersecurity is up to scratch?
The answer is a cybersecurity framework–a set of practices, policies, and processes that holds your organization accountable for its defenses. Security frameworks provide a calculated approach to determining risk, setting up a security strategy, and allocating security resources. They are measurable, repeatable, and used across many organizations.
While these frameworks are helpful for deciding if your security is in good shape, they can also require more resources than you can spare—which is why your company might not have a framework in the first place.
But there are options for any size company, and with a little knowledge, you can choose a security framework that works best for your organization. Whether you’re large or small, here’s what you should know about security frameworks.
The heavy hitters
Most organizations first decide to invest in a security framework because of compliance requirements—it’s a way to prove they’ve met the industry standards. In this case, frameworks tend to be mature, meaning they have a lot of policy-oriented pieces to them, and can be difficult for smaller business to engage with.
There are three main security frameworks that fall into this category:
- NIST: Typically used by federal and state organizations, NIST is probably the most mature security framework currently available. It’s free to use, and often acts as a baseline for other security frameworks. However, its maturation also means it is both complicated and all-or-nothing, and often requires a lot of resources to properly fulfill.
- ISO: This security framework focuses on legal, physical, and technical controls, and is often requested by customers who already use ISO in other aspects of their business. It emphasizes a top-down, risk-based approach, and requires payment to run.
- COBIT: Mostly used in Europe, COBIT offers a framework emphasizing information governance and enterprise risk management. It also requires payment to use.
These three are the most mature security frameworks out there. They certainly provide great guidelines for protection, but often at a cost in resources that most small businesses can’t handle. If that’s the case, what should you do instead?
How to find a manageable security framework
If you don’t have any specific compliance requirements and don’t want to invest in a resource-heavy framework, but still want to set best practices for your security, one of the best options is the Center for Internet Security’s (CIS) Critical Security Controls – formerly the SANS Top 20. Aligning your IT environment with this set of 20 controls can help you identify critical security gaps and properly prioritize the deployment and efficacy of security controls.
The CIS Controls focus on technical, rather than policy and process-oriented directives. By limiting the policy to focus on the controls and supporting tasks, the resources needed to enact this kind of framework become more manageable.
The 20 CIS Controls are also divided into different subgroups, so that you can focus on the fundamentals first, identify areas for improvement, and develop a plan to mature your security program.
Another benefit of this system is that it is easy to scale up—most controls on the list can be compared to those offered by NIST or the other frameworks mentioned above, meaning you can always choose to migrate if you have the time and resources to do so.
Secure your system
A framework doesn’t guarantee safety from every form of cyberattack, but it does provide a measurable, repeatable baseline to show where you stand compared to other organizations, as well as a defined set of best practices for your organization to follow. By measuring up to a standard, you can improve your security capabilities and better track your goals, objectives, and eventual progress.
While choosing the right framework may be difficult, don’t let the process and documentation drive you away from the possibility. There are options out there for smaller businesses that can’t take on the entire process a mature framework involves, but that still provide the guidance you need, including an initial baseline framework alignment exercise. Talk to your account executive today to find out more.