How to choose a cybersecurity framework
With no CISO/CSO, how can you make cybersecurity a core part of your culture and business strategy, and maybe even a competitive advantage? Here’s a roadmap to get you going until you can hire one. This is the fourth article in the cybersecurity playbook series. The series begins with an overview: What to do when there is no CSO.It is followed by playbooks for critical services and creating your CS strategy.
tl:dr
So far in this series I’ve written about how you, as the CIO/CTO/Head of IT/most-technical-founder, can improve you organization’s cyber resilience by identifying your critical business services; documenting the existing security controls; performing a gap analysis and then filling the gaps per your chosen cybersecurity framework. This was followed by a dive into the need for a cybersecurity strategy.
Hopefully, you’ve started the organization-wide process to identify, from a business perspective, your critical services and the people, systems, data, facilities and vendors they depend upon. While that is going on, it’s time to decide which cybersecurity framework will be the best fit, for your org, for the next year.
Why do you need a cybersecurity framework?
It doesn’t matter whether you’re a small online retailer in Adelaide, a three-person startup in Bengaluru, a medium-sized healthcare provider in the US corn belt or a reputable bank in a developing nation. You’re all in the same position: you need a framework to give your cybersecurity work the right structure, coverage and focus. I’ve worked in a number of companies with good-to-great security teams; they implemented best practices, had good, layered defenses where they should be, tried to get developers to do a better job and tried to explain threats to the business. What’s wrong with that? Nothing. It’s just not enough. Or, to be more precise, you, as the person responsible for IT, don’t know how large the gap is between what-is and what-should-be.
You have to be able to answer some key questions when the CEO/board/partners/investors ask: Can { SolarWinds supply chain hack | Microsoft Exchange hack | $74 million ISS World ransomware | Adobe data theft} happen to us? How much is our risk? Are we sufficiently protecting our key assets? What do we need to do in the future? How does cybersecurity align with our business strategy? A CS framework will help you answer those questions and more.
Which framework is right for you?
How many frameworks are there? Not too many once you understand what they all do, and who their target users are. The fine people at cyberexperts.com (no affiliation) have compiled the best list I’ve seen. They have identified 23 cybersecurity frameworks or framework-like initiatives or sets of standards. And that is one of the key differences: one one hand you have frameworks that give you the pieces to achieve a goal and on the other you have standards (the goals). The other key differences are certification, infrastructure-focus (cloud-only or everything), and whether the framework is a regulatory framework, e.g., FISMA, HIPAA or GDPR — you don’t choose them, they choose you.
Frameworks overview
SANS/CIS Critical Security Controls — SANS Institute, one of the founders of the Center for Internet Security (CIS and not to be confused with CISA). Often used interchangeably, the SANS Institute/CIS offers a great program for small to medium size business, and from no-budget to got-cash-to-burn.
The US National Institute of Standards and Technology aka NIST provides the most comprehensive cybersecurity framework (CSF) with the largest set of free resources. The NIST CSF uses a model based on five functions: IDENTIFY important assets and what threatens it; discuss and analyze how best to PROTECT; determine how best to DETECT issues; RESPOND quickly and effectively; and, achieve organizational plans to RECOVER. NIST is appropriate for organizations of any size, but they do have a Small Business Cybersecurity Corner.
System and Organization Controls aka SOC 2 from AICPA — is specifically designed for organizations that store customer data in the cloud. They offer certifications based on technical and management audits and reports. SOC 2 reports the organization’s ability to demonstrate that they are managing threats and have effective processes and controls in place to detect, respond to, mitigate and recover from security incidences. SOC Resources and learning. Excellent overview on SOC2 compliance from threatstack.com. Basic overview from Wikipedia.
COBIT, for example, does not offer a NIST-like cybersecurity framework. COBIT is about governance, and if governance is your thing, if ITIL and ITSM are not meaningless acronyms/initialisms, then dig in! They do offer a guide to implementing the NIST cybersecurity framework.
The Committee of Sponsoring Organizations of the Treadway Commission aka COSO — is not so much a cybersecurity framework as it is a risk management framework. Could go a long way to helping you assess and manage enterprise risk. Sponsored by orgs in finance, accounting and auditing.
Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) — hard-core, incorporates internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, COBIT, Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) Framework, and NY DOH Office of Health Insurance Programs — to ensure a comprehensive set of security and privacy controls.
FedRAMP — (available to commercial entities as well) is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services to ensure that the proper level of security is in place when government agencies seek to access them. Here’s a great overview.
The difference between NIST and FedRAMP is explained brilliantly by the fine folks at reciprocitylabs.com (again, no affiliation):
NIST provides standards and guidelines around risk management, information security, and privacy controls for information systems used by the US Federal Government. FedRAMP uses the NIST guidelines in its own framework to enable US Government agencies to use cloud services securely and efficiently.
The EU’s ENISA is, unfortunately, still a work in progress. If you’re looking for some actual standards, try ETSI — globally applicable standards for ICT-enabled systems, applications and services deployed across all sectors of industry and society.
But le rubber hits le road here: ETSI TC Cyber. Recognized as a major trusted center of expertise offering market-driven cybersecurity standardization solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. They have produced The Critical Security Controls (TR 103 305) — a five-part series of pragmatic guidance and advice that are widely applicable to many enterprises.
Canada offers the Baseline Cyber Security Controls for Small and Medium Organizations publication intended for small and medium organizations in Canada that want recommendations to improve their resiliency via cyber security investments. They attempt to achieve 80% of the benefit from 20% of the effort of cybersecurity practices.
Singapore, through it’s monetary authority (MAS), and cybersecurity agency (CSA) has for many years been the leading light in all things ICT in SE Asia. For instance, less than 30 days after the SolarWinds started blowing, the MAS revised their technology risk management guidelines to keep pace with changes in the threat landscape. For small and medium enterprises they offer a Go Digital program designed to help SMEs seize growth opportunities and manage cyber risk. There are a number of resources that could be of use to your SME including a short list of pre-approved cybersecurity solutions.
Finally, check with your national government to see what cybersecurity resources they can offer your organization.
How to choose?
If you have no/low budget, you’re not in healthcare and don’t take credit card information, then I recommend you start with this SANS/CIS solution: A Small Business No Budget Implementation of the SANS 20 Security Controls. Unfortunately, this document was written in 2011 and, in the last 10 years, many of the free technology solutions no longer exist. Fortunately, you can easily replace all of the technology with modern, free-and-open-source-software (FOSS). Yay!
If you have some budget, there are four frameworks you should consider, or just one if you’re in healthcare: for healthcare providers, the HITRUST CSF is the CS framework for you.
SOC 2 — If your business is largely a service and you want certification, and you don’t take customer credit card information but do store your customer’s personally identifiable information (PII), AND you’re only in the cloud then SOC 2 may be the CS framework for you. It’s largely based around auditing and reports.
If you’re totally in the cloud and really want certification, then FedRAMP may be a better fit for you if you’re a US-based company, otherwise their certification is not available to you.
For everyone else, my recommendation is to start small with SANS, then grow into NIST, and if you need it, after a few years go for ISO/IEC 27001 and certification. Obviously, if you store credit card information then PCI-DSS will be in your future (but you know that already). SANS/CIS has 20 controls, while NIST has over 900 controls in 18 control families. There’s no reason you can’t start with SANS and migrate to NIST.
If you’re a mature organization, and risk management is part of your business culture, then you may be ready to jump right into NIST.
SANS has An Overview of Threat and Risk Assessment and an overview of cybersecurity tools. SANS/CIS 20 (Center for Internet Security) has three versions, a small business no budget implementation, a version for small and medium enterprises (SMEs), and the full set of security controls, and there is the CIS RAM: Risk Assessment Method. SANS has an awesome poster with an overview of the CIS controls and Five keys for building a cybersecurity program.
NIST has a much larger set of resources: Cybersecurity framework (CSF); Risk Framework; and Security Controls. NIST is appropriate for organizations of any size, but they do have a Small Business Cybersecurity Corner.
For an overview of the NIST risk management framework, please see:
Risk Management Projects/Programs or NIST Risk Management Framework Overview
NIST SP 800–39 Managing Information Security Risk: Organization, Mission, and Information System View
NIST SP 800–37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST SP 800–30 Guide for Conducting Risk Assessments
NIST SP 800–53 Security and Privacy Controls for Information Systems and Organizations
All of the NIST 800-series special publications.
I will be continuing this series over the coming days and weeks. I look forward to positive comments and questions!