top of page

Your First Steps on the Journey to Improved Security: Selecting the Right Framework

Writer's picture: Kyle WolskiKyle Wolski

Author: Kyle Wolski 

Contributors: Ryan Bauer & Matt Martin


If you are stepping into a new security role, or just looking to revamp an existing cybersecurity program, you may be asking yourself: “Where do I begin?” One of the first and most important decisions you will face is choosing the right cybersecurity framework to protect your organization. Sounds simple in context but with so many options, this process can quickly feel overwhelming. Searching for answers and recommendations can lead you down a path filled with differing opinions and contradicting information. While the question might seem simple, the solution is rarely straightforward. 


You are likely asking yourself the following questions:  

  • “How do I choose a framework that fits our specific business and risk profile?”

  • “How do I align with our industry, company size, and long-term goals?”

  • “Are we committing ourselves to expectations we will not be able to meet?” 

  • “How will we measure progress and success over time?”

  • “What about my company’s commitments to regulatory and compliance requirements?”

  • “What is the cost - both financially and in terms of resources?”

  • “How can I trust the guidance provided?”

The good news is that the same questions asked are also solid evaluation criteria you should focus on. From understanding your unique risks to evaluating your industry’s regulatory demands, there are key factors to consider that will help guide you toward the right framework. By the end, you’ll have a clearer idea of how to choose a framework that fits your company’s needs and sets you on the path toward improved security.


1) Understand Your Risks and Critical Data

It is often surprising that how many individuals do not understand their organization’s business objectives which is critical to evaluating risk. The first step on the journey to cybersecurity is ensuring you can align your security posture when your organization’s mission and purpose.


Without this insight, it’s hard to pinpoint which risks and data are the most important to protect within your organization. This can lead to debates over priorities simply because there is no clear consensus on what matters most. Even those whose job is cybersecurity can sometimes feel disconnected from what truly keeps the business sustainable. 

To get started with understanding your risks and critical data, begin by talking to key stakeholders across the organization - those who know the ins and outs of the business. Ask questions about what data is essential to daily operations and what would cause the biggest disruption if it were compromised. 


If you or your stakeholders are struggling to identify those answers, consider performing a Business Impact Analysis (BIA) to identify those critical systems, data, and functions within the organization. This collaborative approach not only helps you understand what’s most critical but also builds a shared understanding of priorities, making it easier to align your security efforts moving forward.


2) Assess Organizational Complexity, Size, and Buy-In

The structure and complexity of your organization will play a pivotal role in selecting the right security framework therefore a key question to ask is “ How fragmented or consolidated is your organization?” A complex organization where you have to engage multiple teams across a security domain will need a more robust and detailed framework that would be overkill for a small and simple organization. A larger organization might lean towards NIST 800-53 to account for the wide variety of technologies and processes utilized, while a smaller company might prefer a high-level streamlined framework like CIS IG1.


A proper security framework is only as effective as an organization's ability to enforce it. Leaders need to see how security aligns with their processes and objectives and they must be given the right tools to drive adoption and adherence to security controls. Organizational leaders who do not see the value in the security strategy could create unnecessary resistance and pushback from your organizational leader. Oftentimes this is not from malice, but from the view that security controls are creating roadblocks and hindering their team’s objectives. Cybersecurity leaders need to remember that everyone is responsible for security, so selecting a framework that works for everyone and not just the information security team is the only way to ensure successful implementation.


When assessing your organization’s complexity, size, and compatibility with cybersecurity frameworks, start by mapping out your company’s structure - who’s involved in decision-making, how many teams and departments need to be engaged, and where the major touchpoints are for security. Understanding this will help you gauge how much coordination is needed and how scalable your chosen framework needs to be. Work to secure buy-in from leadership early on by explaining how the framework will support both security goals and business objectives. Clear communication will help ensure that security isn’t seen as an obstacle but as an enabler of long-term success.


3) Pick the Framework that is Aligned to your Current Maturity Level

As was stated in the last section, when it comes to picking a security framework, one size definitely doesn’t fit all. The key is to choose one that aligns with where your organization is right now - not where you hope to be in five years. 


This requires an organization to be honest with its current cybersecurity maturity level. Do you already have strong security processes in place, or are you just getting started? Are you looking to mature your posture, or simply plug the holes? Take an honest look at your capabilities, resources, and the level of risk you can manage. Then, choose a framework that fits your current strengths while leaving room for growth. Starting with something too advanced can lead to frustration while picking a framework that matches your maturity ensures steady progress and success over time. It’s all about setting a strong foundation that you can build on.


4) Understand the Industry and Regulatory Landscape

Let’s face it - no two industries are the same when it comes to security. To navigate the maze of regulations, laws, and standards, you’ll need to get familiar with the unique demands of your field. Frameworks like HIPAA and PCI have unique applications while CIS and NIST are more generalized. If your organization is held accountable to certain regulations, consider utilizing or complimenting a generalized framework with one that also helps your organization remain compliant with applicable laws, regulations, or expectations.


To understand the industry and regulatory landscape, start by researching the specific regulations that apply to your sector. Look for industry standards and compliance requirements, such as GDPR for data protection or HIPAA for healthcare. Engage with industry associations or forums where you can connect with peers and stay updated on emerging regulations. Ensure you’re reaching out to legal and HR who can provide their input and guidance. This approach not only helps ensure you stay secure but also plays a crucial role in protecting your organization from potential legal risks.


5) Consider the Cost of Ownership and Implementation

When choosing a security framework, it’s not just about picking the best fit - it’s also about understanding what it will cost to implement and maintain. Complex frameworks with multiple domains, controls, and expectations may come with significant costs not only to implement, but also to maintain. Even if the framework is applicable to your organization, effectively assessing, tracking, and remediating those controls can place a significant burden on organizations that do not have a dedicated / large security and compliance workforce to drive adherence to the framework. The right approach balances security and budgeting.


Start by outlining both the upfront and ongoing expenses associated with the framework you’re eyeing. This includes not only licensing fees but also training, staffing, and any necessary technology upgrades. Don’t forget to factor in the time commitment required for implementation and maintenance, this can significantly impact the organization's resources. It’s also a good idea to seek input from other departments to get a full picture of how the framework might affect various aspects of the organization. By taking a holistic view of costs, you’ll be better equipped to make a decision that aligns with your budget and goals.


6) Utilize Well-Known, Industry Standard Framework

When it comes to security frameworks, it’s often wise to stick with what’s tried and true. Utilizing well-known, tested, industry-standard frameworks can provide a solid foundation for your cybersecurity strategy. Be wary of frameworks that claim to be “best practices” without mapping or aligning to well-known, tested, and established frameworks or organizations. 


Evaluate if the framework has been released or backed by a well-known security organization such as the American Institute of Certified Public Accountants (AICPA), MITRE, or the National Institute of Standards & Technology (NIST). Check if it's widely recognized and endorsed by reputable organizations or regulatory bodies in your sector. Additionally, verify if the framework is regularly updated to reflect the latest security trends and practices. Reading reviews or case studies from other organizations that have successfully implemented the framework can also provide valuable insights into its legitimacy and effectiveness. By leveraging established frameworks, you can build a robust security posture while benefiting from the collective wisdom of industry experts.

Choosing a Framework

Now that you’ve laid the groundwork for selecting the right cybersecurity framework, it’s time to talk about starting your journey. The good news is, that by now you should have everything you need to get moving. Start by reviewing the frameworks you’ve considered and evaluating them against your organization’s specific needs and risk profile. Gather input from key stakeholders. Think about your organization’s current maturity level and areas that need the most improvement. Narrow down your options by assessing how each framework addresses your unique challenges, compliance requirements, and available resources. Finally, weigh your proposed framework against industry experts. 


You should prepare your company for its maturity journey by establishing a crawl, walk, run strategy allowing your target framework to mature along with your organization.


Crawl - Organizations that are just starting in their security maturity journey, have minimal budget and governance enforcement, or have a fragmented organization that will provide considerable challenges should focus on simpler and easier-to-implement frameworks. The most appropriate frameworks would provide controls that are simple to implement, utilizing fail, partial, and pass evaluation criteria. Some examples might include CIS Critical Security Controls, NIST CSF Core Functions, and SANS Top 20 Security Controls.

Walk - Once an organization has a solid foundation of security controls and larger governance enforcement, it should start evaluating, managing, and reducing risk continually. Implementing baseline controls to reduce initial risk is great, continuing that evaluation is important for the next step. Frameworks that set organizations up for managing risk posture using an evaluation methodology that continuously evaluates and drives remediation activities are typically the best for companies at this stage. Consider supplementing a baseline framework with an industry or regulatory framework to drive appropriate compliance. Some examples might include ISO/IEC 27001, COBIT, or PCI DSS.

Run - Complex or large organizations or organizations that have an effective baseline of security controls and risk management will need to shift their mindset from simple implementation of controls to continuous maturity of security concepts. Frameworks that expand on the simple fail, partial, and frame evaluation criteria by utilizing a maturity scale become more important at this stage, where simple implementation is not effective enough for compliance with a control. The goal is to continuously evaluate the organization’s maturity in the application of controls and drive continuous improvement and remediation work to reduce risk to the organization. Some examples might include NIST CSF, ISO/IEC 27002, CMMI, or NIST RMF.


The key thing to keep in mind is that there is no one-size-fits-all answer and unique criteria of your organization will dictate what is appropriate for your organization. Sometimes the easiest way to contextualize the journey is to use an analogy. If your ship is sinking, you plug the holes first (crawl), then evaluate which areas are likely to leak again (walk), and then measure the effectiveness of preventing another leak (run).  Each step you take builds on the previous one, reinforcing your organization’s security posture. While this can be a daunting decision for any company, ImagineX has extensive experience helping organizations choose the right framework and guide its implementation.


Comments


ImagineX Logo

ImagineX is a digital services firm whose mission is to help our clients #BeBetter by leveraging world class technologies.

  • Facebook
  • LinkedIn
Glassdoor Icon

Atlanta headquarters:

1155 Perimeter Center W
Suite 875
Atlanta, GA  30338

D.C. office:

44927 George Washington Blvd, Ashburn, VA 20147

ImagineX Studio

San José, Costa Rica

© 2024 IX Digital LLC. All Rights Reserved.

bottom of page