By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Building an effective information security program is a journey. Like any journey, the most efficient way to plot your course and track your progress is to use a well-planned roadmap. Fortunately, cybersecurity professionals don’t need to create their own roadmap – and they shouldn’t. There are several cybersecurity frameworks available to help guide you on your way.
Choosing a Framework
An effective cybersecurity framework will contain a series of processes and objectives that you can use to help define your policies and procedures around information security, guide your implementation of controls, and drive management, measurement and monitoring of your information security program. The framework should be developed by a consortium of technology professionals and be subject to regular review and updates.
Some examples include the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), the Center for Internet Security’s Critical Information Security (CIS) Controls, and the HITRUST Alliance’s Cyber Security Framework (HITRUST CSF®).
Each framework has its own origins and objectives. NIST CSF was developed as a voluntary program to help private sector organizations protect our nation’s critical infrastructure and key resources (CIKR). The CIS Controls found their origins in the SANS Institute and was originally promoted as the 20 critical cybersecurity controls. The HITRUST CSF was developed specifically for healthcare organizations and is an amalgamation of several frameworks and regulatory requirements regarding security and privacy applicable to that industry. Despite their different origins, each of these frameworks takes a holistic view of cybersecurity and would serve well as the basis for an information security program in any organization.
You may have noticed that I have not mentioned PCI-DSS, HIPAA, or the many other acronyms to which we must comply. While each of these regulations lists many specific cybersecurity controls that must be operating in your environment, these are not really frameworks in the context of this discussion. They were all developed for a specific purpose, and while full compliance will likely improve your environment, compliance does not equal security. These requirements should not be the basis of your security program; they should be considered in conjunction with it.
While reviewing frameworks to decide which will work best for your organization, it may be tempting to treat them as à la carte menus from which you can pick and choose items to build your own framework. Resist that temptation. Creating a custom framework opens the risk of missing something and leaving gaps in your program. Should there be an incident, it will be your framework that fails, and you may feel the full brunt of the repercussions. If you really need a blend of frameworks, take one in its entirety and supplement that with controls from other frameworks. You can also supplement the framework with specific requirements (such as those from PCI-DSS) as needed.
Building Out Your Plan
Choosing a framework is just the first step. Once you have settled on a framework, you need to bring it to your executive team. Taking your information security program to the next level will require buy-in from the top. Your executives will need to understand your chosen framework and agree on the course of action.
Now that you know where you are headed, it’s time to understand your starting point. Use your chosen framework as the basis for a gap analysis. This analysis can be performed internally, but it is often more efficient and effective to have a trusted partner complete the legwork and provide an unbiased third-party opinion.
Use the results of your gap analysis to build out your 1-, 3- and 5-year plans. Tackle the low-hanging fruit first to show some quick, cost-effective wins and build momentum. If you get bogged down in day-to-day activities, consider using a partner like cStor to help you accomplish your goals. It is important to keep your momentum as your program moves towards the goal of framework compliance.
As you progress on your journey, don’t forget to track your progress and report that back to your executive team regularly. They agreed with your framework and will want to know you are moving forward. They can also provide much-needed help removing roadblocks if forward progress stalls.