Which cybersecurity frameworks to use
If you have been working in cybersecurity for any length of time, you will be aware of the plethora of different frameworks out there, promising to help with your security efforts. Maybe you have even looked at some of them, but have turned away because you could not choose amongst them, or did not know which one was the more effective in your situation? Well, you are not alone in those sentiments, but using a framework in your cybersecurity, will make your work much easier! I am using several different frameworks myself, make note of the plurality here, several different frameworks, because there is no single framework that can fill in all needs in the world of changing threats, we see proliferating these years. If you are working as a consultant, you might as well resign yourself to the need of knowing several frameworks, in order to be able to help different customers, or business areas.
Part of the job as a cybersecurity specialist, is keeping up to date with the various frameworks and the changes made to them to reflect the changes in the business world, as well as the changes in compliance and regulations we see expand more and more! In my first article for this magazine, I expanded on the increasing importance having good governance in place in an organization. You can read, or reread, the article here: https://cybersecurity-magazine.com/governance-for-cybersecurity/ . I would like to expand that to include frameworks as well. Why? Because frameworks make it easier for you to measure your efforts up against a reference point. That way you can continually measure the maturity of the organization up against a fixed point of reference. As mentioned earlier, I am using several different frameworks, for different customers, some of them in combination with one another. The list below should not be seen as any kind of recommendations on my part. Depending on your own situation, other frameworks might make more sense in your customer cases:
- CIS 20
- This framework has 20 different major controls, with some 117 sub controls under the major ones. This framework is very operational and can be communicated to the technicians working with it in an easy way
- NIST 800
- This framework is very popular in north America. The 800 series contains a lot of sub documents describing various sub areas of cybersecurity, like patch management for instance.
- ISO 2700x
- This is the grandaddy of frameworks, along with NIST, as regards cybersecurity frameworks. ISO is becoming more and more important as a reference point for security in organizations around the world.
- CMMi
- This framework makes it extremely easy top communicate a score for the maturity level in an organization. CCM, or Capability Maturity Model, is already know to many businesspeople, making it an excellent tool for communication with the board for instance.
- COBIT 2019
- I am a huge fan of COBIT as a framework for cybersecurity. You might think, hold up, is this not a governance framework? And yes, it is, but also a framework for how to improve cybersecurity.
There are many, many more frameworks out there, some of them aimed at specific businesses or technology areas. So, how do you pick a good one? You don’t, the situation picks a good one! If you are working for a transnational financial institution for instance, then NIST and ISO are the frameworks, on top of the frameworks governing their business area, like Basel III or PSD, the Payment Services Directive. If you are working with medical industry customers, they are governed by other standards and have other compliance regulations to live up to, like HIPAA and the American FDA, the Federal Drug Administration.
The point I am trying to make here, is that you absolutely must know more than one framework as a consultant and that as a company IT security employee you should look into the regulations that are governing your business and choose one that can cover as many of the compliance requirements and regulations that you have to live up to as possible. But remember, no one framework is likely to be able to cover all of the needs for any on organization. Multiple frameworks will more than likely be required! If you are just beginning your career in cybersecurity, and is looking to acquire knowledge of cybersecurity governance and frameworks, then I will recommend that you look at CIS 20 as the first one, you can find that here: https://www.cisecurity.org/controls/cis-controls-list/ and ISO 2700x. Why? CIS 20 is an easy beginning if you are coming from a technical background and ISO is fast becoming the gold standard for cybersecurity frameworks.
CMMi requires that you have some experience with frameworks first before you can begin using that as a score for the maturity level in any organization. NIST is a massive framework with lots of subsections that can make NIST a daunting prospect for any one just beginning to look at frameworks, the same goes for COBIT, which underneath it have NIST for instance, as part of the framework. So, to finish this, frameworks are an excellent tool for cybersecurity, but remember that multiple different one will likely be needed in most situations! And remember that the situation/business chooses the right framework for implementation!
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.