Hope vs. Know: 3 Reasons A Framework Is Essential To Your Cybersecurity
Just like a builder lays out a floor plan and a home cook reads a recipe, any cybersecurity professional (or managed service provider) worth their salt should be following a security framework. When it comes to your cybersecurity, the framework is multifunctional, serving as everything from a starting point to a roadmap to an assessment tool.
So what exactly is a framework? Theoretically, it’s the map you should be using to guide your business’s ongoing cybersecurity journey. In more literal terms, it’s a series of tested, tried, and true policies and procedures that have been documented and formalized—not to mention widely accepted as an industry standard.
According to SUCCESS Chief Technology Officer Brandon Nohr, the issue of whether or not you’re adhering to a cybersecurity framework is one of “hope versus know.” “If you’re not using a framework, you’re hoping you’re getting everything, you’re hoping you’re paying attention to the right things,” Nohr explains. “The framework helps you to be confident—you move from that ‘hope’ stage to the ‘know’ stage.”
For the uninitiated or those new to cybersecurity, it could be daunting to discover that there is more than one valid cybersecurity framework out there: CIS, NIST, HISTRUST, ISO, COBIT are among the more commonly used. But before you wade into that alphabet soup of acronyms, know that the exact framework your company or MSP employs is not the most important thing, but rather that they have one at all.
In fact, if you’re in the market for a MSP, a great screening question is to ask them about which cybersecurity framework they use. If they don’t have one, it’s a huge red flag.
“If you don’t have a framework, you’re just guessing,” Nohr cautions. He says it’s important to remember that cybersecurity is not a product you can buy off a shelf, or a one-time site visit or assessment. A robust cybersecurity program is ongoing and evolving, and the framework you follow can and will evolve and update alongside it, to keep pace with emerging threats and technologies.
Now that you have an overview of what constitutes a cybersecurity framework, let’s explore three reasons it can answer that question on every business-owner’s mind: “am I doing enough to protect my business, from a cybersecurity standpoint?”
It moves you beyond the bare-minimum of compliance
In short, regulatory compliance doesn’t equal security. At best, “it’s a check box in some sort of regulation, and that doesn’t mean you have a good security practice, it just means that this one thing is checked off,” Nohr says. While compliance regulations like HIPPA, for example, are meant to protect patient privacy, they don’t address the overarching needs of an organization’s entire cybersecurity program.
While you might need to adhere to specific compliance regulations or even an industry-specific set of protocols, there is a way to make sure you’re not having to manage multiple frameworks to meet various client and industry standards, and that is by employing the Center for Internet Security (CIS) framework.
In fact, CIS is the framework SUCCESS uses in house, as well as the framework they use for their clients’ cybersecurity, as it’s highly adaptable and can be overlapped with other industry-specific frameworks.
“The framework we like is CIS controls, which is set in order of priority,” Nohr says. “It’s not only where to start, it’s where to go next.”
It identifies security gaps
Maybe you’re new to cybersecurity, or maybe you want to evaluate the efficacy of your current program. In either case, using a framework is a great way to spot any weak points in your cybersecurity efforts.
When implementing a CIS framework for its clients, SUCCESS starts with a CIS ControlsAssessment.
“The assessment says ‘okay, what are the things you’re doing now, and how do those compare to the CIS framework?’” Nohr says. “The gaps are apparent, because they are the things you’re not doing.”
In this way, a framework serves as an excellent starting point for those who are just getting started in the cybersecurity realm.
It’s a way to benchmark your security progress
Because a cybersecurity is never “finished”—or, as Nohr says, “as soon as you think you’ve arrived, that there’s a destination, you make yourself vulnerable”—how can you tell if you’re making progress or moving the needle?
The CIS framework is based on priority, and organized by implementation groups. Instead of following a framework process that moves in a linear fashion from A through Z, CIS helps business owners and MSPs prioritize which cybersecurity measures make the most sense for their specific organization—that adaptability in action.
“There’s no company that I’ve ever worked with that has successfully implemented all the framework,” says Nohr. Remember, this is a journey without a destination, and it’s never meant to end. “We may decide that a certain control that the framework is recommending just doesn’t fit your business, and you’re choosing not to implement it. But at least it’s a conscious discussion and choice, to say ‘nope, that one doesn’t make sense for us.’”
When it comes to the CIS framework, implementation groups are broken up into Basic, Foundational, and Organizational, representing a spectrum of security practices that can be tailored to a business’s resources and specific needs.
At the end of the day, Nohr emphasizes, it’s important to remember that cybersecurity is not a one-and-done. Much like physical fitness, it takes maintenance and upkeep. “You have to work at it, it’s a discipline, it’s a day in and day out process,” he says. “And that’s the same thing with security. You have to have a plan and execute that plan; if you don’t, you’ll never be healthy.”
Are you ready for your cybersecurity to achieve peak fitness? Then it’s time to make sure you have a security framework like CIS in place, and like a dedicated trainer, SUCCESS is here to help you get started and stay motivated, so your cybersecurity can keep giving you optimum performance.