Companies Mix and Match Cybersecurity Frameworks
Security professionals are tailoring security frameworks to their unique needs for securing systems, evaluating risk, communicating value, and thwarting attackers.
Key Points
- Cybersecurity frameworks define policies and procedures for preventing, evaluating, and managing cyber risks.
- Most cybersecurity frameworks fall into one of four categories, focusing on either programs, controls, risks, or adversaries.
- Choosing the right cybersecurity framework depends on multiple factors including company size, industry, regulatory mandates, and business goals.
- Some frameworks (or aspects of them) work better for some stakeholders than others, so many organizations will use a combination.
Knowing how best to protect an organization’s people, communications, and data is the defining challenge of today’s cybersecurity profession. That’s where cybersecurity frameworks come in.
Essentially, these frameworks bring perspective to today’s overwhelming variety, volume, and sophistication of cyberthreats — as captured in Mimecast’s State of Email Security 2022 report. They provide clear policies and methodologies for companies to prevent, manage, and resolve incidents. Put into practice, cybersecurity frameworks can support best practices for securing systems, validate cybersecurity readiness to customers and partners, and even persuade senior management to adequately fund security needs.
There are several trusted and time-tested frameworks available, and most of them are free. Choosing the right one — or ones — depends on factors including company size, company maturity, industry, regulatory mandates, and overall business goals.
In addition, different cybersecurity frameworks will make sense for different functions or purposes within the organization. For example, a security operations team may choose a certain framework for its granular information about how to prevent attacks, while company leaders might appreciate a framework that provides a higher-level view of security-related business risk. Increasingly, organizations mix and match frameworks to derive the right inputs and outputs to fill all stakeholders’ needs.
The Four Types of Frameworks
There are four main varieties of cybersecurity frameworks. Understanding the benefits of each type can help business leaders determine the best choice or combination of choices for their organization’s needs.
Program-Focused Frameworks
A program-focused framework is designed to help organizations create a comprehensive security program that addresses cybersecurity at a detailed level. The NIST Cybersecurity Framework (CSF), which considers cybersecurity risks as part of the organization’s overall risk management process, is a prime example of a program-focused framework.[1] The framework covers soup to nuts, but at its core is designed to guide security teams as they work to identify, protect against, detect, respond to, and recover from cybersecurity issues. It offers a number of methods for improving programs, benchmarking by industry or company, and communicating on program effectiveness.
Program-focused frameworks like NIST’s tend to be exhaustive, so that organizations need to pick and choose which aspects to incorporate, with business needs and goals driving prioritization. NIST itself notes that the CSF is not a one-size-fits-all framework, and that compliance with the framework can mean different things to different people. Relevant stakeholders in business, technology, and compliance can work together to determine which elements of the CSF align with their needs.
Control-Based Frameworks
Control-based frameworks are also lengthy, but very specific. This type of framework focuses on the safeguards that organizations put in place to reduce technical risks. NIST’s library of publications related to the CSF includes control-specific frameworks with baseline measures for organizations to tailor their own low-, medium- and high-impact requirements.[2] The International Standards Organization’s ISO 27001 ISO/IEC 27001 Information Security Management framework also lays out control measures,[3] and the Center for Internet Security’s CIS Critical Security Controls takes an approach organized around best practices.[4]
Aligning a framework’s controls with what an organization’s technology stack can and cannot do will help determine whether policies, procedures, and systems need to be updated and/or what new technology needs to be added.
Risk-Based Frameworks
Risk-based frameworks help organizations quantify risks in order to better understand them, communicate about them, and mitigate them. The Factor Analysis of Information Risk (FAIR) framework is a leading example. FAIR moves beyond the typical framework for risk analysis (looking at only likelihood and impact) to help organizations better understand, measure, and analyze risk.
Risk-based frameworks like FAIR enable security teams to articulate risk to boards of directors and leadership in the context of the business: What’s the frequency of this risk? How often are we seeing these kinds of attacks? What’s the probability of these attacks being successful? What’s our resistance to these attacks? They connect the dots between information security risk and operational risk. By looking at the actual or predicted loss events’ frequency and impact, risk-based frameworks enable leaders to make more nuanced decisions.
This is important because cyberattacks pose enormous financial risks. But instead of locking down everything to avoid those risks, security leaders have to uncover how to continue to operate effectively while applying just enough pressure on the security brakes. Risk-based cybersecurity assessments can help organizations strike this delicate balance.
Adversary-Based Frameworks
Adversary-based frameworks can play a critical role in combatting cyberattackers. These frameworks provide insight into up-to-date adversarial tactics and techniques being used in the real world to help security teams determine what might happen if attackers gain access to their systems. Adversary-based frameworks essentially help security teams think like the bad guys throughout the lifecycle of an attack.
A commonly used adversary-based framework is the MITRE ATT&CK framework.[5]Available to government, education, and commercial businesses, this framework provides information on attack stages and sequences so that organizations can align their defense-in-depth technology most effectively and detect attacker behavior as early in an attack sequence as possible.
The MITRE ATT&CK and other adversary-based frameworks, like Lockheed Martin’s Cyber Kill Chain framework, parse cyberattack lifecycles from reconnaissance to initial access — all the way through exfiltration and impact. The frameworks provide the specific techniques attackers use at each stage along with recommendations on how to stave them off. With this insight, security teams can more effectively make sense of the volumes of data generated by their monitoring tools and other security systems with the ultimate goal of stopping attackers before they do any damage.
The Bottom Line
Companies use different cybersecurity frameworks to make sense of the growing and changing array of cyberattacks they face and get on a better footing to defend themselves. Increasingly, companies mix and match aspects of frameworks in the four main categories – program-focused, control-based, risk-focused, and adversary-based — to suit their unique needs.
[1] “NIST Cybersecurity Framework,” National Institute of Standards and Technology
[2] “NIST Risk Management Framework Publications,” National Institute of Standards and Technology
[3] “ISO 27001 ISO/IEC 27001,” International Organization for Standardization
[4] “CIS Critical Security Controls,” Center for Internet Security
[5] “MITRE ATTACK&CK,” MITRE
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!