As more companies and governments worldwide struggle with cyber threats — including malware, phishing, ransomware, and denial-of-service attacks — there has never been a better time to explore the adoption of a cybersecurity framework.
Cybersecurity frameworks can help organizations think through how to set up a cyber program and evaluate resiliency in the face of attacks. Maturity models and control frameworks are used to create a more robust security culture and assess how well the organization can perform necessary cyber actions.
I recently spoke with my colleague David White, the co-founder and President of Axio, for a webinar on cybersecurity frameworks. Below I’ll share some of the biggest takeaways from it and my own experiences in achieving success with cybersecurity frameworks.
You Need to Know Your ‘Why’ First
One of the most important things you need to do before choosing one or two frameworks to adopt is to first understand your “why.” This may sound overly simple, but you’d be surprised how powerful it is. Specifically, you need to think about two big questions:
- Why are you considering frameworks to adopt?
- What do you hope to achieve by adopting a framework?
Answering these questions inform which framework(s) you ultimately choose. The “why” helps you think about what’s driving the need to embark on a framework adoption process. The “what” drives you to consider what outcomes—goals, objectives, initiatives—you hope to satisfy by adopting a framework. A simple itemization of answers to these questions will give you a significant head start on figuring out which framework to pursue. Always remember: adopting a framework isn’t a casual endeavor. It requires considerable organizational resources and investments to do correctly, and if you make the wrong choice, you could incur significant costs without much benefit. And, many organizations fail to commit to working through framework adoption, which ultimately causes a cycle of “start-stop” attempts that end up in framework fatigue and no appreciable organizational benefit.
Here Are Some ‘Whys’ to Think About
If you decide to pursue a framework to support your unique cybersecurity program needs, it’s important to think about all of the reasons that may be driving this decision. While it is true that there might be a single driving force—mandated compliance, for example—there may be additional organizational drivers that could be satisfied as well. Or, you might find you will have to exist in a multi-model environment, so you’ll want to choose a framework that is complementary to the framework with which you are required to comply.
Below I outline several of the top “whys” that you might be asking about in your organization or government when it comes to adopting a framework.
One of the most common reasons a company or government begins looking at a framework is to meet regulatory or compliance requirements. Compliance obligations can come from various places, whether based on a specific law or a requirement of a private industry group or a local or national regulatory body.
For example, the New York Department of Financial Services (NYDFS) cybersecurity regulation requires that companies must create a robust cybersecurity program, name a chief information security officer (CISO), enact certain policies, perform penetration and vulnerability assessments, and formulate ongoing reports for cyber incidents. Such regulatory requirements can allow organizations to define a narrow scope on which to apply the regulations, thereby making the adoption of such a framework less useful for organization-wide program improvement. Thus, there is a propensity to view such frameworks as primarily an exercise in compliance, not program development or process improvement.
Ultimately, regulatory and compliance requirements will choose you, rather than the other way around. This doesn’t mean they aren’t useful in the long run. Because these frameworks can in some cases be comprehensive, you may find they have positive effects on your program definition or even maturity. But, that requires defining and expanding your adoption objectives well beyond just meeting minimum requirements. Remember that compliance alone is a “floor”—the minimum required to satisfy oversight requirements—and as the threat environment evolves, some of the weaknesses of a compliance approach (and in particular, a regulatory approach) will ultimately reveal themselves.
Third-party certification may also be an important driver for which framework you choose. Voluntary certification can signal that your organization is serious about cybersecurity and has implemented and institutionalized the rigorous processes needed to reach a certain level of achievement. Third-party certifications typically bring independent verification of achievement, and are generally more robust than regulatory requirements. However, because they can often allow narrow scoping, achievement of certification does not always equate to cybersecurity program or process improvement. If you approach third-party certification with more robust program objectives in mind, you might find that you can not only achieve your certification goals but also use your choice of framework for program improvement as well. And, certification may also equate to a competitive edge with competitors.
Remember that certification frameworks may also define minimum requirements to operate in a specific sector or to interact with other organizations. A good example of this is the Cybersecurity Maturity Model Certification (CMMC), which will establish requirements for organizations that wish to work on federal defense contracts. CMMC draws on best practices and maturity processes from other well-regarded frameworks such as NIST 800-171, C2M2, and CERT-RMM, so while it might be framed as a certification framework, it certainly has solid control and process structures as its foundation—necessary for security program definition and maturity.
A Strategic Initiative
Strategic imperatives and aspirations may also direct your choice of framework For example, if you are interested in expanding your product offerings into a new market such as healthcare or providing new cloud-based services, you might choose a framework that aligns with helping you not only achieve your strategic objectives, but gives you a competitive edge.
One example would be if your organization is focused on selling and providing cloud services to the U.S. government. In this case, you almost certainly will need to adopt the Federal Risk and Authorization Management Program (FedRAMP), a “program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” As the U.S. government is one of the largest buyers of cloud services, meeting FedRAMP standards is significant for the bottom line of many tech companies. And, meeting FedRAMP standards might also signal to non-U.S. government customers that you are serious about meeting rigorous standards for your cloud-based products and services.
Process improvement should always be on your short list of “whys” for adopting a cybersecurity framework. For any framework you consider, for any reason—whether compliance, competitive edge, strategic imperatives—process improvement should be at least a secondary objective. If you are going to invest in the time, energy, and money it takes to adopt a framework, you should derive organizational benefits, even if the framework finds you first.
Many organizations look to models and frameworks to gain guidance on designing, implementing, managing, measuring and improving a cybersecurity program, if only because frameworks typically represent an encyclopedic catalog of all the things—controls, practices, processes, metrics—that define such a program And consider: if you start with a solid process improvement approach you might have a head start when other frameworks find you as compliance and regulation requirements are surely increasing.
Many organizations have long-standing cybersecurity programs in place, but they may not know if these programs are functioning efficiently and effectively, and whether they may need retuning. In this use case, adopting a new framework can shed light on gap areas and provide measurement tools to examine where your program might be off the rails. Frameworks that focus solely on controls may not be as useful for this purpose because they typically focus on implementation details (the “how” rather than the “what.” But, frameworks that are written at a practice or program view often have defined outcomes that can be measured as a way to verify that elements of your program are working—producing the expected results. Further, frameworks like CMMC allow you to determine the degree to which you are building all of the artifacts that are required for long-term success.
The Bottom Line
While all of these “whys” will help guide you to a framework, there’s a good chance you will find (as most organizations do) that competing objectives (strategic growth vs. compliance, for example) have you considering more than one model. The extent to which you can choose one model that satisfies many objectives is a very cost-effective strategy, and will likely help you meet many needs simultaneously. Most modern frameworks are interconnected and linked, so some of the hard work is already done for you. But, be prepared….you may find yourself in a multi-model approach that requires careful navigation to avoid rework and over-investment.
Richard Caralli is a cybersecurity professional with nearly 40 years of experience in accounting, auditing, risk and resilience management, and process improvement. He is currently helping organizations implement and institutionalize GRC programs as a member of the consulting team at Seiso LLC, a solution-focused cybersecurity firm based in Pittsburgh. Prior to joining the Seiso team, Caralli held various senior level positions in information technology and cybersecurity in the oil and gas industry where he was responsible for developing and operating information and operational technology cybersecurity programs. Prior to returning to industry, Caralli was the Technical Director of CERT’s Risk and Resilience Directorate at Carnegie Mellon’s Software Engineering Institute where he was the lead architect of the CERT® Resilience Management Model (CERT-RMM), a process improvement-focused maturity model for managing operational resilience, much of which has been incorporated into various models including the Cybersecurity Maturity Model Certification (CMMC). Caralli’s research agenda was influential in developing and delivering coursework in information security to graduate and executive education students at Carnegie Mellon’s Heinz College. Prior to joining CERT in 2001, Caralli led accounting and IT audit teams in the banking, manufacturing and oil and gas industries.
If your organization wants to adopt a cybersecurity framework, Axio can help you chart a path forward. Axio offers free single-user assessments for frameworks including NIST CSF, C2M2, and more. Additionally, paid subscribers can receive reviews for CMMC, CIS 20, or custom setups. Check out the free tool here to learn more.