You may have heard of a cybersecurity framework – or several, actually – being adopted by large organizations (businesses, NGOs and other entities) or by state actors. But what is a cybersecurity framework, why are there several such frameworks and how do they work?
We’ll answer all these questions and more in the following guide. We noticed that the info on cybersecurity frameworks available online is a bit confusing, especially for people strictly outside the niche. This called for a more detailed, step by step explanation and here it is. We will be using the term cybersecurity framework and cybersecurity standard interchangeably for the sake of this specific guide.
We hope that after reading this guide, whether you’re a programmer trying to abide by regulations, or a CTO looking for your next security standards, or a tech journalist or a layman, everything about cybersecurity frameworks should be much clearer.
What Is a Cybersecurity Framework?
Contrary to what you might believe, an IT cybersecurity framework is not a defensive software system, such as a collection of anti-virus, threat detection or traffic filtering tools. It’s not a collection of any kind of practical tools for diagnosing threats or for responding to them.
A cybersecurity framework is, actually, a set of best practices and documented processes which are used for IT security policy making within an organization. It’s equivalent, if you will, to a mission statement issued by the IT department of large organizations, where they define their cybersecurity values and goals while also defining the way they intend to achieve and protect them.
But unlike traditional policy related strictly to the legal field, a cybersecurity framework also includes plenty of thoroughly documented examples of issues to be avoided through these policies and of the proper processes and ways to implement the security policies described. It’s at the same time a guide for sysadmins and users, as well as a compelling compendium for best security practices which can be consulted by authorized external parties (like the authorities).
How Does a Cybersecurity Framework Work? Why Is It Important?
There are several cybersecurity frameworks already created and available for organizations to access in order to create their own version. There is more than one because of various factors: the national regulations for IT security vary across the world, as well as the specific threatscape. Since many countries with a strongly developed expertise prefer to create their own set of regulations and documents, it’s only natural to have several cybersecurity frameworks out there.
Most of these cybersecurity frameworks to choose from are, therefore, developed by state actors and national intelligence agencies, to serve the big companies and institutions in that country.
There are also cybersecurity frameworks developed internally, by big tech companies who prefer to develop their own, or for which it makes more sense to have one perfectly adapted to their specific scenarios. After all, who can know the vulnerabilities of an organization and the best risk mitigation strategies for it better than the people who coordinate these efforts? Of course, only very big companies have the man-power, know-how and necessity to create their own cybersecurity frameworks.
There is also the commercial factor to account for, and while there’s nothing wrong with that per se, it does make some organizations be a bit weary to adopt a cybersecurity framework, even though their size requires it.
What do we mean by commercial factor? The content of cybersecurity frameworks is free, right? Yes. While there aren’t any authors of cybersecurity framework regulations who are selling access to their framework as a commercial product, there are plenty of consultancy firms who are providing paid guidance for adopting a cybersecurity framework.
Is this necessary? Of course, since a cybersecurity framework is by default a very complex structure of documents and regulations, and no matter how simply its authors try to present it, many organizations will have difficulties understanding them, let alone adapting and implementing them to fit the realities of their own work environment.
But since this type of consultancy can involve additional costs, besides the effort and manpower involved to see it through, some organizations postpone adopting a cybersecurity framework. This is understandable, but nonetheless a dangerous behavior, unfortunately.
Cybersecurity frameworks were developed by regulation authorities precisely because experienced proved they were necessary. Having a unified set of practices and regulations serves not just as a common map and reference point for threat forensics, but can make the difference between overcoming a security incident crisis and being torn up by it.
Who Should Adopt a Cybersecurity Framework?
So what companies should adopt a cybersecurity framework? There isn’t any official requirement for this, since cybersecurity frameworks are only partially mandatory. While this may differ from country to country, most state authorities don’t enforce the adoption of cybersecurity frameworks for now. Partly this is because it would be difficult to decide who absolutely has to implement one and who can get by without one.
Still, some national authorities (like those in U.S.) do enforce it indirectly, by making the adoption of a cybersecurity framework a pre-requisite for compliance. Since some businesses can hardly sell their products without a compliance certification, this is a way of de facto enforcing the adoption of a cybersecurity framework. So it is up to each company, but other factors can weigh in besides really wanting to secure their data better.
Deciding who needs a cybersecurity framework is both a matter of company size and a question of niche or data type.
As far as company size goes, here is the rule of thumb:
- If your company has more than 10,000 employees, you definitely need a cybersecurity framework – over 90% of companies of this size have adopted one; *
- If your company has more than 5,000 employees, you could probably really use one, especially if you handle sensitive client data;
- If your company has fewer than 1,000 employees, you could still benefit from adopting a cybersecurity framework, even though it’s not a must – over 77% companies that small have adopted one. *
*Based on data provided by the Trends in Security Framework Adoption report.
How about according to the niche in which your company is activates? Some domains need to adopt a cybersecurity framework faster than others, of course.
If you’re an IT company, you should really consider adopting a cybersecurity framework ASAP, regardless of your size. Since you are responsible for the hardware or software components of the security networks of other companies and organizations, you need to make sure you take all the safety measures first. Otherwise, vulnerabilities can spread like wildfire, starting with the first link on the chain of supply.
Likewise, adopting a cybersecurity framework is essential for companies activating in the financial or medical sector, or those working directly with actors in these sectors. As we all know, sometimes hackers use the lower security networks of a third party small company (like a supplier) in order to gain entrance into the systems of the company they are actually targeting.
Sadly, data indicates that the health and medical sector is the most vulnerable to attacks, since 27% of large companies in this niche did not implement any kind of security framework*.
*Based on data provided by the Trends in Security Framework Adoption report.
Considerations when Choosing a Cybersecurity Framework: How to Do It
If you’re thinking about implementing a cybersecurity framework in your organizations, first of all, congratulations are in order. Know that the journey will not be easy, but finalizing the procedures will be immensely rewarding in the long run.
Once you cross the finish line on it, you can rest assured that your security systems are top notch, your compliance to security guidelines are flawless and even in the case of an incident, you will benefit from the best recovery mechanisms and support from authorities.
So how can you start adopting a cybersecurity framework? Here’s a brief outline of the recommended process. More can be said on this topic, but for space limitations, we’ll sketch here just an initial outlook so you can know what to expect.
Task 1: Set your cybersecurity goals and choose a framework
Sit down with all your executives and the executives of any partner companies involved in your cybersecurity defense mechanisms. Try to identify the concrete needs your business has that can be answered by adopting a cybersecurity framework.
These can include tech-side needs, such as making a process more secure without sacrificing user experience or addressing known vulnerabilities, or commercial needs such as making sure you are compliant to a pre-defined regulation. Everything that weighs into this decision is important, so make sure you put it all on paper before you can decide the best course of action.
Task 2: Evaluate your current strategy and map it
You need to know where you stand now before you can identify the best way to proceed with adopting a cybersecurity framework. Make sure you don’t leave anything out when doing this internal evaluation. Here are a few ways to go about it:
- Map out your current responses (procedures already in place);
- Include processes or procedures proposed but not yet implemented;
- Do an incident response simulation;
- Ask your system admins about known user behavior-related risks;
- Conduct an internal Blue Team vs. Red Team security exercise;
After going through these, you’ll be more aware of where you actually stand security-wise. Many established cybersecurity frameworks make it a requirement to self-diagnose before implementation. Some, like the NIST CSF, require you to identify a Security Tier (out of 4 tiers) that you belong to, based on the current cybersecurity strategy.
Task 3: Conduct independent risk assessment
Having an independent party assess your current strategy’s strengths and weaknesses is essential. In almost every case, external pentesters are able to see beyond the natural blind spots of your own security engineers and CTOs.
After getting a thorough evaluation on current risks from professionals, you’ll be ready to move on to addressing them better.
Task 4: Identify necessary actions to address the gaps
This step is obviously very important, but can differ a lot from one company or organization to another. Make sure you perform gap analysis and that you compare your current test scores with the target scores that you need to be compliant with.
Once you identify the gaps and areas you are lagging behind, you can start finding solutions for getting closer to the goals defined in the beginning or to closer to the requirements of the cybersecurity framework compliance.
Task 5: Create an action plan for adopting the framework you need
Try to envision the goals first and think about the practical side of things later. We know this is the most difficult thing to ask from a business-minded decision-maker, since everything revolves around the usual staff or budget limitations. But adopting a cybersecurity framework has to be done by following official protocol, so there’s no way to modify the required action plan in order to better fit business needs.
Of course, after creating the action plan, there will be room for negotiations, creative solutions and better budgeting. Just don’t let a cutting corners mentality impact the plan-making process since that stage of the implementation process should be uncorrupted by practical considerations.
Examples of Cybersecurity Frameworks
What are the most common cybersecurity frameworks currently issued and adopted by companies worldwide? Here’s just 5 of the best-known ones, adopted by numerous compliant businesses and organizations.
#1. Payment Card Industry Data Security Standards (PCI DSS)
The title says it all – this cybersecurity framework is targeted at the payment card industry and impact any e-commerce business, as well as the financial sector.
#2. US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
Even though originally intended for institutions managing critical infrastructure assets (like power plants and such), this US cybersecurity framework has rapidly become very popular outside of this niche too. Many traditional businesses and large organizations adopted the NIST CSF gladly in a bid to strengthen their overall IT security, and it continues to garner the highest level of interest from late-comers.
#3. Center for Internet Security Critical Security Controls (CIS)
This framework deals with the most common forms of data breaches and attacks, in a hierarchy of priorities. While immensely valuable and popular because of it, the CIS framework is not intended to be the sole depositary of cybersecurity practices. It’s most often adopted alongside the NIST CSF.
#4. Control Objectives for Information and Related Technologies (COBIT)
The COBIT cybersecurity framework is issued by ISACA (an non-profit organization known as “Information Systems Audit and Control Association”). The organization is praised for bridging the gap between government and business needs in its cybersecurity standards. The latest update of the framework was released in 2012, though, so depending on your sector of activity, you might need to consider a newer set of procedures.
#5. International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002
Issued by the prestigious ISO, these cybersecurity frameworks have the advantage of being recognized almost everywhere in the world, unlike the U.S.-centric NIST and CIS options. Another plus of the ISO compliance rules for cybersecurity is that they’re not targeted solely at medium and large companies, but can easily be adapted to small businesses too.
Need more advice about implementing a cybersecurity framework in your organization? Want to find out where your biggest security vulnerabilities lie? Don’t hesitate to get in touch, we can help.