Like most critical business outcomes, data privacy and system security don’t happen by accident. A disorganized, haphazard approach to cybersecurity does little to protect users, the system, or the business. Yet many organizations don’t know where to start.

Cybersecurity frameworks are a direct response to this issue. The right framework can provide a solid foundation for building and implementing effective security policies and practices. But simply garnering buy-in can present a significant roadblock for security efforts.

If you’re an I&O professional in search of a way to deliver a more compelling argument in favor of investing in adopting a framework, or even if you’re a management professional who might be on the fence about such an investment, this article may be your answer. We’ll cover framework basics, matching frameworks to use cases, and provide some social proof of their ROI. 

 

What Is a Cybersecurity Framework?

Protecting against cybersecurity threats is not unlike protecting physical assets from threats in the real world. Natural disasters, acts of war, and even negligence are all hazards that have analogs in digital systems. As a result, many similarities can be seen in the successful methods of preparation, prevention, and response for losses in either category. 

That said, few industries are as fond of their linguistic separatism as computer technologies. Clarity on this topic, then, depends on a common understanding of the fundamentals, so we’ll begin our discussion there.

Cybersecurity Frameworks:  A Digital Battle Plan

Like a military force at war, InfoSec depends on careful planning and coordinated operation. That’s where the framework comes in. A framework establishes a baseline of policies, rules, procedures, and expectations. It outlines the organization's risk appetite regarding digital threats, and provides a system of guidelines for addressing those threats. 

The framework does not, itself, improve information security. Rather, it facilitates better collaboration and coordination of efforts, minimizing the number of critical responsibilities that fall through the cracks. It achieves this by:

  1. Ensuring all stakeholders understand the scope of the efforts, and the definitions of both success and failure
  2. Reveals aspects of information security that may currently be overlooked or underserved
  3. Clarifies expectations and requirements, so that accountability for events is easier to establish

The framework is a way to standardize the cybersecurity efforts of an organization, so that each team member understands what role they play in protecting the system. 

Frameworks, Architectures, and Applications

As mentioned above, the framework is just policy. Implementation and execution strategies are built on top of that framework, using the latter to shape and direct it. 

To borrow from the construction industry, the “framework” constitutes a) building codes and ordinances required to meet legal standards, and b) the organization's internal rules and policies for achieving compliance and holding individuals accountable.

If an organization is establishing its InfoSec efforts from scratch, the framework would be the first step, serving as the foundation for everything that comes next. Once that foundation is laid, the next step is a matter of architecture.

Architecture, in construction as in computer systems, is the design. It represents the engineering portion of a security strategy, where the framework is primarily administrative. A chosen security architecture provides a blueprint for the development of the system's structure. 

This in turn provides easier maintenance and defense of the system, as the “structure” has been designed to minimize vulnerable surfaces, maximize visibility, and so forth. 

Finally, distinct software tools form the highest layer of this structure. This is where execution happens. Programs, APIs, and applications equip I&O teams with the force multipliers needed to stay ahead of evolving threats. 

The framework may provide the policy, and the network’s design architecture may facilitate better server-to-endpoint monitoring, but it’s often an app dashboard that a technician uses to collect system data where a threat can finally be identified. 

Information Security Frameworks vs. Cybersecurity Frameworks

One final note on terminology: not all definitions are clearly delineated. Case in point, some frameworks are referred to as “information security frameworks,” while others are described as “cybersecurity frameworks.”

While the terms are not necessarily 100% interchangeable, information security (a.k.a. InfoSec) is largely synonymous with cybersecurity. The former may have been more expansive in its definition in previous decades when large amounts of private information was still stored on paper documents. 

These days, there’s little distinction between “information” and “digitally accessible information.” 

In other words, while nuances exist and different terms/titles may be used to describe slightly different roles/responsibilities, don’t expect those variations to be standardized across the board. Depending on an organization's control framework, their data security standards may be talked about differently depending on the needs of their information systems teams. However, the guidelines for risk assessment and protecting sensitive data are almost universal, regardless of what they're referred to as.

A Closer Look at Cybersecurity Frameworks

Next, we’ll discuss frameworks in more detail, such as their priorities and objectives, and what major frameworks are in widespread use.

The Five Core Elements of the NIST Framework (NIST CSF)

While each security framework is unique in both its approach and its objectives, there are some commonalities. As mentioned above, whenever discussing subjects like risk, loss, prevention, response, etc., fundamental methodologies tend to be applicable across nearly every use case, regardless of the actual circumstances.

So, we’ll use a single framework (the NIST cybersecurity framework; more on this below) to illustrate how improved security can be achieved.

The NIST framework is built on five elements or pillars that establish the primary responsibilities it aims to address. These five are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The list here is non-hierarchical, as the NIST website itself illustrates the pillars as a wheel, rather than a checklist. Indeed, the idea is one of recursive efforts. No team is ever finished protecting the system, since cyber threats are constant and data protection is always at risk. It’s a race that has no finish line, and any given success is ostensibly temporary. 

Any professional with cyber risk management experience will likely recognize these five priorities as familiar. Most risk management initiatives follow similar patterns of predicting, preparing, avoiding, mitigating, and minimizing risk factors and losses. 

That’s one of the advantages of a framework: it puts things in perspective. It’s a reminder that some threats can be anticipated while others cannot, and that preparation and vigilance are the only reliable safeguards against catastrophic losses. Losses that are a question of when, not if

Common Frameworks

Security frameworks—their types, subcategories, intended use cases, etc.—is a fairly deep rabbit hole upon even a cursory inspection. They may be designed around industry regulations, international standards, technological requirements, and so on. By and large, however, two frameworks dominate the landscape.

The first is the framework developed by the US National Institute of Standards and Technology (as linked above). Especially here in the United States, this framework (as a whole, in parts, or its more specialized subsets) is more widely used than any other. 

The second is the frameworks (or, set of frameworks, rather) developed by the International Organization for Standardization (ISO). The ISO/IEC 27001 and ISO 27002 frameworks represent a global standard, one dependent on certification through the ISO, and one that is used by many businesses that have to reckon with financial regulations across multiple national boundaries. 

At least in the US, a third framework also bears mentioning: HIPAA. The Health Insurance Portability and Accountability Act sets the standard for healthcare cybersecurity and data privacy in US. It functions in many ways as its own cybersecurity framework as a result, and no system, network, or application can function for long in that industry without complying to its regulations in full.

Why Use a Cybersecurity Framework?

As might be obvious from the names of organizations that developed the most popular frameworks, these are systems of standardization. Similar to safety protocols, manufacturing standards, and the like, a framework ensures that everyone is playing by the same rules, and working toward the same goals. 

The alternatives are largely ones of either increased risk and liability, or increased redundancy in efforts. An organization can ignore frameworks, as they could dismiss any set of best practices, but they do so at their own peril. On the other hand, businesses could likewise build their own framework, though such an endeavor would be laborious and costly (and needlessly so).

In some cases, without a framework, organizations don’t realize what vulnerabilities they are overlooking. Such was the case with Sentrata, a not-for-profit healthcare provider.

Sentrata enlisted the help of RiskRecon, a Mastercard company, and VIRTIS in vetting their 3rd-party vendors for their levels of security risk. After seeing the results of the cyber risk assessments we provided for their vendor options, we recognized that some of the risk factors we highlighted in these candidates might be applicable to their internal security controls.

Using the same framework that facilitated the vendor assessments, Sentrata was able to grade their own security efforts to determine the risks that they themselves brought to the table. The end results were informative:

  • The team’s efforts were validated for the current security controls that met or exceeded the framework’s guidelines
  • They prioritized security vulnerabilities found in the internal critical infrastructure
  • The framework provided a benchmark for proving security investment ROI to the executive team

In short, Sentrata started with the goal of finding vendors that held their organizations to a higher security standard. By applying those same standards to their own systems, they both improved their ongoing efforts, and justified those efforts with hard data.

For any organizations similarly interested in how cybersecurity frameworks and best practices can benefit their risk management efforts (both internally and when dealing with 3rd-party vendors), RiskRecon is here to help. Request a free demo today!