Top 5 benefits of a security framework

Cybersecurity is an overwhelming endeavor, whether you are a business leader, such as the Chief Information Security Officer (CISO), or a security analyst defending corporate resources, data and infrastructure against advanced threats. Security frameworks can help…

Knowing which aspects of cyber security to focus on, complying with a myriad of regulations, and taking a proactive stance can be hard with limited resources and time. Security frameworks can help by acting as a “compass” to guide you along your cybersecurity and compliance journey.

A framework can act as a compass on your digital transformation journey. (Source: Getty Images)

Here are 5 benefits of using a security framework:

1. It can help save you time by providing you a clear structure for taking action. With a framework, you can easily map where you are on your cybersecurity journey and to identify gaps so you can have clear, actionable conversations with stakeholders at your organization. If you know where you are vs. where you need to be, then it makes your job easier.
2. Most content in a framework is universally applicable. For example, irrespective of the industry and country you affiliate with, you probably handle some type of sensitive data. You can benefit from a framework that shares specific actions to take with regards to sensitive data, regardless of the type (e.g. medical, bank or credit card account, etc.).
3. You can learn from the collective consensus-based guidance and experiences of a community who contributed to the framework. Frameworks are developed through the partnership of multiple persons of varying backgrounds and experiences — from different industries and regions of the world and roles, who contribute, discuss and debate, and come to an agreement on what will be published as the initial framework and future versions.
4. Frameworks provide consistency in interpreting security needs across the company. Without a framework, there is a risk that your stakeholders across the company, each responsible for some aspect of cybersecurity, interpret requirements differently, causing errors and unforeseen gaps in execution.
5. Last, but not least, a framework can be a useful tool to explain in a common language what you are doing in security to even the non-security versed people in the organization. This is especially important, since “cybersecurity is everyone’s business.” [Read more about how to communicate with business managers in Diana Kelley’s blog post Building a security-minded culture starts with talking to business managers]

According to a research study of over 300 U.S. security professionals from organizations of all sizes across key industry verticals to better understand the adoption patterns of the top security frameworks, 84% of survey respondents reported using at least one security framework. One of the most well known frameworks is National Institute of Standards and Technology (NIST) Cyber Security Framework or CSF.

NIST CSF (Source: N. Hanacek/NIST)

Having completed its 5th anniversary in 2019, the NIST CSF Version 1.0 was prepared with extensive private sector input and issued in February 2014, and subsequently, Version 1.1 was issued in April 2018. The framework summarizes and categorizes security requirements under 5 functions: Identity, Detect, Protect, Respond and Recover. These represent the key areas that an organization should consider as part of their cybersecurity strategy and operations. There are many other frameworks and controls in addition to the NIST CSF that organizations may be following already or considering and these map well to the NIST CSF also: Center for Internet Security (CIS) Controls, International Organization for Standardization (ISO) 27001:2013, and HITRUST CSF.

No matter where you are on your cybersecurity journey, a framework will help discover what you have overlooked as well as validate what you are doing right. Some vendors share how their offerings (products and services) can help with some of the requirements outlined in frameworks so that customers can benefit from investments they have or are considering making. You can download Microsoft’s mapping of cyber offerings to various frameworks here.