CybersecuritySecurity

Common Frameworks for Maturing Security Programs

Gulsen Saffel
March 7, 2023
6 min read

Every cybersecurity organization, through its program maturity journey, grapples with the challenge of choosing and aligning with a security framework. Frameworks provide structure, but also allow the organizations to evaluate their program internally, as well as against industry peers. Let’s take a closer look at some of the most common security frameworks used within the industry, including key considerations when selecting one and pitfalls to avoid.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (NIST CSF) may be one of the most referred-to frameworks in the industry. Twenty-three categories are aligned to the five functions of this security framework: Identify, Protect, Detect, Respond and Recover. Each category includes subcategories, representing control objectives that together provide a foundation for a comprehensive cybersecurity program.

ISO 27001 by the International Organization for Standardization

This security framework is most recognized due to the opportunity to certify compliance through an independent technical audit and prove that data protection standards have been achieved by the company. ISO 27001 divides its controls as: Organizational, People, Physical and Technological.

As an alternative to ISO 27001, organizations may pursue SOC 2 certifications as proof of independent security audits. The decision to pursue either is most often influenced by geography (i.e., ISO 27001 is more globally recognized than SOC 2) and contractual agreements.

The Center for Internet Security Critical Security Controls

CIS Controls is a prioritized set of safeguards. The safeguards refer to controls that are technical in nature and are prioritized by three implementation groups that enable companies of all sizes to benefit. Large organizations can leverage the full extent of CIS Controls, while smaller security organizations with limited resources can begin by identifying a starting set of safeguards.

 MITRE ATT&CK® knowledge base

MITRE ATT&CK® is not a framework. Instead, it’s a knowledge base that security organizations should consider leveraging to mature their capabilities to address very specific, real-life threats from adversaries. MITRE ATT&CK® provides continuously updated technical knowledge from the attacker’s perspective.

Choosing a security framework, conducting a thorough assessment, prioritizing findings and driving initiatives is undoubtedly a resource-intensive challenge for any organization. Therefore, companies should consider the need from a variety of angles to select a framework that will provide the best value:

  1. Security program maturity – Is the program newly established with a relatively small team and broad functions or has it grown to have an appropriate level of staffing and technology? This may impact the appetite for in-depth assessments. Are the resources available to staff the effort and most importantly, drive action from the outcome of the assessment?
  2. Regulatory landscape – The industry, types of business processes and data types being processed can drive a list of compliance activities and required assessments. Understanding the external drivers will help select a framework that maximizes alignment with the requirements and derive efficiencies. For example, the Federal Financial Institutions Examination Council (FFIEC) provides a mapping of its requirements to the NIST Cybersecurity Framework.
  3. Expected outcome – this may be the most important element that an organization should answer. “What is the outcome we need to accomplish?” will be a key driver for this exercise. Is there a compliance issue? Is it a general need to understand the capabilities of the security program and the level of protection and risk mitigation it provides? Is it a regulatory activity? Is it to facilitate prioritization of the security program investments and/or build a security strategy?

Finally, common security frameworks bring the expertise of many industry professionals to a maturing security organization by defining a set of best practices for alignment and benchmarking. While there are many other security frameworks available (e.g. NIST 800-53, Secure Controls Frameworks (SCF), HITRUST), the ones covered in this blog have been adopted widely and leveraged often for establishing trust in a company’s data security practices.

Once a framework is selected, it is important to consider some important next steps as part of the process of adopting a framework:

  • A framework assessment is not a complete and final solution to all security issues. Control framework assessments by themselves do not measure risk if all that is assessed is compliance or alignment with security controls. Controls are an important component in understanding how risks the organization is subject to are mitigated, but they do not paint a complete risk picture. To understand the risk exposure, a risk assessment needs to be performed that includes the identification of critical assets, threats, and vulnerabilities applicable to these assets and then applying the controls present in the environment to mitigate identified risks. The risk assessment should be performed in accordance with industry-accepted methodologies, like NIST 800-30, FAILR, Octave, etc., and will result in a prioritized list of residual risks for the environment. Once an assessment has been completed, it is time to prioritize findings, reflect the results in the organization’s investment decisions and continuously measure risk reduction as solutions are implemented.
  • Educate the Board of Directors and/or executive leadership on the ratings and tiers of the framework selected before presenting the outcome of an assessment. There is a risk that the focus becomes earning a high score across the spectrum. In many cases, this is not reasonable to achieve or necessary based on the risk appetite of the organization. Leadership should understand how the framework is used as a tool to determine capability and enable maturity as opposed to simply being a scorecard. It is also important to demonstrate how the control maturity fits into the overall risk picture and the risk mitigation value provided by the controls in the environment.
  • Think outside the box. Frameworks, while comprehensive in concept, may not have an emphasis on the company’s unique risk exposures. Encourage and allow flexibility. Deviations from the frameworks may be necessary to meet business, cultural and other constraints, or requirements of the environment.
  • Don’t get complacent. Regularly re-evaluate the selected framework against business needs and external factors. Recognize that, over time, doing the same thing does not mean that ratings or tiers stay the same as well (in fact, they may deteriorate as the risk profile of the business or environment changes). Similarly, incremental improvements and ongoing investment may only result in sustaining previously assessed levels of framework capability and maturity. It takes meaningful effort to move the needle!

Build a cybersecurity strategy to drive long-term strategic value from the framework alignment. Don’t miss the opportunity to pair any assessment with a roadmap to achieve key security goals that align with the overall objectives of the business.

To learn more about our cybersecurity consulting solutions, contact us.

Gulsen Saffel

Associate Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More