One of the keys to CISO success is to choose a framework to guide the work of your security program and, ultimately, simplify the complex world of cybersecurity in a way that can be more easily understood by business leaders.
But, what framework should you choose? How can you make sense of the veritable alphabet soup of cybersecurity frameworks that are available?
After working with a number of clients and students in organizations of varying sizes and maturity levels I find that it’s useful to segment the landscape of cybersecurity frameworks into three buckets: control frameworks, program frameworks, and risk frameworks.
1) Control Frameworks
Let’s begin with an analogy. If you want to be a writer you have to first start with a strong grasp of language and vocabulary. The words you can use in your writing are contained in the dictionary. Similarly, the security controls you can implement are described in various control frameworks.
NIST 800-53 is a comprehensive control framework. It contains every possible security control you might want to implement. Obviously, you can’t and don’t want to implement every single control possible. This is why NIST 800-53 has grouped controls into low, moderate, and high-impact categories so you can identify the appropriate controls for your situation.
Another control framework is the Critical Security Controls developed by the Center for Internet Security (CIS). They define the “Top 20” controls that have been shown to mitigate the vast majority of the most common and impactful security attacks. Based on attack data and years long collaboration between government agencies, enterprises, and organizations of varying sizes the Critical Security Controls have become a guide that defines some of the most useful “words” in the dictionary.
2) Program Frameworks
I see many organizations start their security journey with the Critical Security Controls. It’s a great foundation but, to stick with the analogy, a writer doesn’t become successful simply by using the most common words in the dictionary. She needs to know how to put these words together in a way that is pleasing to her readers. In some cases, she might need a style guide to serve as a reference point for writing documents. A program framework is like a style guide.
ISO 27001 is a comprehensive program framework that defines the requirements for setting up an information security management systems (ISMS). This consists of the policies, procedures, processes, and activities beyond the technical controls that you should implement to have a robust program.
Another popular program framework is the NIST Cybersecurity Framework (CSF). It defines five high-level functions: Identify, Protect, Detect, Respond, and Recover. These five functions decompose the complex world of security into simple categories that model the high-level lifecycle of all security activities. Because it is simple, it also gives security leaders a way to more easily communicate about their security programs.
Like a style guide, a program framework allows you to conduct high-quality, efficient editing of your security activities.
3) Risk Frameworks
Beyond the activities defined in control or program frameworks you also need a way to determine which capabilities to prioritize. What do you do first or not at all? How to you make this determination beyond just a checklist of activities?
Once again going back to the writing analogy a skilled author knows how to tell a story that resonates with the audience. Similarly, a risk framework helps security leaders assess and manage risk in a way that resonates with the business.
There are a number of frameworks that define approaches to risk assessment and management including NIST 800-30, NIST RMF, ISO 27005, COSO ERM, among many others. Historically, many of these approaches have taken a qualitative approach to calculating risk using things like ordinal scales. This is where a quantitative approach like Factor Analysis of Information Risk (FAIR) is helpful. By marrying foundational risk management program elements with a more rigorous approach such as FAIR we can craft a story that better resonates with the audience.
My mentor Steve Katz once told me, “There are no security risks. There are only business risks.” Modern security leaders must have a deep understanding of business goals and strategies to effectively manage business risk.
It’s not about choosing the one framework to rule the world. Just as a skilled writer uses various tools and techniques to tell a more compelling story I suggest that you choose a framework from each category to mature your program over time. This will help both you and your stakeholders make sense of the alphabet soup of cybersecurity frameworks that are available.