In Defense of Cybersecurity Frameworks

I recently read a LinkedIn post discussing the usefulness or lack thereof regarding the use frameworks in developing your cybersecurity roadmap. The author discussed implementing controls that they felt were going to give the organization the best cost to benefit ratio, but the author never really discussed what they did to come up with what those missing controls nor what risks they were mitigating through implementing them. Now I certainly agree there are some controls which will give you a much bigger bang for your buck, like multifactor authentication, endpoint detection and response or additional network segmentation. All three of those controls will certainly reduce your risk more than some of the policies and procedures that any cyber framework will recommend you implement, but does that mean you shouldn’t implement these policies and procedures?

The resounding answer should obviously be yes, you do need those policies and procedures because they guide your organization, help instruct how some of those tools should be implemented and maintained across your organization and will lead to more repeatable results from using those tools. Now this is not saying the policies and procedures need to go to the front of the line in your roadmap nor that they should even be in the second wave of your roadmap. Policies and procedures are just a single control and should be weighed against other controls to understand your current state and what your future state should look like when you implement your roadmap. This is where the controls frameworks come into play in crafting a roadmap. You should leverage a framework, like NIST CSF, C2M2, CIS 18, etc. to understand your current cybersecurity posture and understand your areas of opportunity. It is for this reason that frameworks, imperfect as they may be, have a place in helping to craft your roadmap.

Following an assessment, you should leverage the results to come up with potential improvements and controls you can implement to reduce your risk. Now there are many different strategies to do this, you can look for low hanging fruit, identify some big wins from experience or do exercises like table tops or risk quantification. Personally, in my experience cyber risk quantification is the best strategy as it allows you to model specific risk scenarios and how they financially impact your organization. After you have modelled your scenarios, you can model how your controls you identified in your assessment, (where you leveraged a framework), to understand how those controls can affect the scenarios through reducing the impact or susceptibility to the risk. By taking this route, you will have the financial numbers to back the decisions of your roadmap when presenting to the board for the budget to implement it.

In closing, frameworks are a useful tool in helping to craft a roadmap, but they are just one tool in your arsenal that help you identify potential improvements. However, the results of a framework assessment should be paired with something like cyber risk quantification to really help you prioritize and justify your roadmap so that you are able to obtain the funding and implement it.

Ryan Subers is a Director within Axio’s Cyber Risk Engineering practice. Ryan has over 15 years of industry and consulting experience with integrated risk management and mitigation, cyber risk quantification, information security assessment, and enterprise architecture. He has performed various IT and Operational Technology risk and security assessments in various organizations including electric power generation and transmission, healthcare, manufacturing, finance, and government. He worked as part of the core project team to update the Department of Energy Cybersecurity Capability Maturity Model(C2M2) for versions 2.0 and 2.1.