If companies fail to act, they will lose more than five billion dollars through cyber attacks over the next five years. That was the conclusion recently published by Accenture, based on a global survey. For the CISO and the board, it is therefore becoming increasingly important to protect the company. A security framework, such as NIST, ISO or, in the Netherlands, Bio or NEN 7510 can help. It spells out how security and information protection are configured within the organisation, describing the measures as a process.
But how do you work out which framework best suits your organisation and how do you make sure it dovetails with your other security measures?
In order to choose the right framework, or the right elements of a framework, and implement them successfully, CISOs should take the following 3 steps:
1. Talk to the board about the added value of a security framework in relation to the business objectives, crown jewels and risks
Research by Gartner has shown that only 41 percent of all large companies use a security framework. That represents a missed opportunity, because any CISO who takes cybersecurity seriously should, in consultation with the board, be looking directly at how it is deployed within the organisation. Using a framework has a number of important advantages:
- It enables the company to manage cyber risks more effectively. Most security frameworks contain documents in which policies, procedures and processes which apply to an organisation's security practice have already been defined. This makes it easier to set up and manage those processes;
- It makes it easier to explain to internal and external parties how information, systems and services are managed and secured within the organisation;
- The control mechanisms within a framework can be used by the CISO to measure the security maturity of the organisation. If that is not what it should be, it is easier to get additional budget for his security policy based on these independent mechanisms.
2. Make sure the choice of framework stems from strategy, compliance requirements and customer expectations
Before a CISO decides which security framework to choose, the business objectives and the associated KPIs first need to be mapped out. A risk analysis then needs to be made, for example describing which departments contribute most to achieving the KPIs. Finally, the scope needs to be defined and a decision taken as to which members of each department should be involved in implementing the framework. Choosing the framework and the associated control mechanisms is only the final step.
As a CISO, by first obtaining a good picture of the control mechanisms you need to properly manage your risks, based on your security strategy, choosing the right framework becomes a lot easier.
3. Select the framework that best suits the organisation
Once the CISO knows which control mechanisms are needed, he can select the framework that best suits the organisation. Sometimes a customer or the authorities specify the choice of a particular framework. There are also various industry-related security frameworks such as Bio for government or NEN 7510 for the care sector.
If there are no special requirements, the CISO can focus on a framework with the right control mechanisms for his organisation. An important tip is to start small. Start with a proof of concept with a framework containing two or three control mechanisms and keep adding to it. There are also tools that can support you, with the right examples to not only set up your framework but also manage it by means of a workflow. That way, you are always in control and audits will be easy and smooth.
The perfect framework does not exist
It is also good to bear in mind that the perfect framework does not exist. Although one framework will be a little more applicable than another, in truth they are all good. So choose a framework that you, as the CISO, are convinced is the best fit for your company and use the associated control mechanisms to further optimise the security policy within the organisation.
Also be aware that a security framework does not cover all security risks. Do not lose sight of security risks defined in your security strategy and add elements from other frameworks to make up for control mechanisms that are missing from the framework. The biggest challenge for the CISO is to choose a suitable, not too complex framework, to make sure the associated control mechanisms work and that they are assigned to the right managers via workflows.
The only wrong choice is no choice
With the increasing number of sophisticated ways to obtain or block data by means digital or physical attacks, the importance of preventive security is also increasing. A security framework can make an important contribution here. It forces the organisation to properly map out the processes around security, leaving few opportunities for potential attackers.
As a CISO, if you succeed in deploying a framework effectively, you are guaranteed to raise your company's security maturity to a higher level. So the only wrong choice you can make is not to choose a framework at all.