Is your cyber security framework fit for purpose?
When we ask organisations about cyber security frameworks, responses vary from ‘we’ve implemented one already’ to ‘we know we need one but don’t know where to start’. Many, overwhelmed by the range of approaches available, just hope their information security headaches will go away. They won’t.
What is a cyber security framework?
A security framework is a supporting structure upon which to build layers of controls. It consists of rules, policies and guidelines that provide a standardised security approach.
The deeper a framework dives, the harder it is to implement – but the more robust it is. It’s important to balance the efforts and costs of implementing a framework against the rewards.
Why choose a framework?
Security frameworks reduce the everyday resource required to remain protected against cybercrime by embedding tried and tested guidelines. For example, for every new data-sharing request, you don’t have to consider new approaches or technologies to secure it – it’s already in place.
What are the options?
There are myriad frameworks available – with various degrees of suitability depending on the specifics of your sector or organisation.
At one end of the spectrum sits ISO 27001 – the ‘daddy’ of information security frameworks. Deep, rigorous and requiring high commitment, it has become the security gold standard and requires on-going independent verification to achieve and then maintain certified status.
There has also been traction with the US led NIST Cyber Security Framework. We have seen an increasing number of UK organisations adopting this. It offers a valid and useful alternative to ISO 27001 without some of the perceived red tape.
Move down the scale and you’ll pass numerous other options until you reach the UK government’s recently introduced 10-step Cyber Essentials programme. It’ more an audit standard than a framework, but can be used to build towards higher certification levels like Cyber Essentials Plus or eventually more complex frameworks. It’s relatively easy to achieve and is an industry-standard security seal, but won’t deter highly sophisticated attackers.
Selecting a framework
Throughout the selection process you should constantly consider what you are trying to achieve. Are you simply using a framework because you are responsible for security and don’t know where to start? Or do you have very specific requirements?
Common drivers include clients increasingly insisting on security clauses in contracts, responding to competitors proudly displaying their security credentials, or pressure to meet internal governance requirements and maximise security as efficiently as possible.
Common problems
Once you’ve selected a framework, success depends on securing top-level management support to ensure on-going efforts to maintain and upgrade it. Without this, it’s hard to adapt to required cultural changes or technical updates as your business evolves. What was safe last year may not be safe next year.
Practical solutions
To facilitate on-going security management, don’t start from scratch. Use the tools and approaches provided by a framework as a shortcut to success, and adapt your existing policies and procedures where possible. Use a shared calendar outlining where actions are required and who is responsible for carrying them out. And use that top-level support to embed security in everyone’s working practices – if security is seen as just one person’s responsibility then your controls will be ignored, circumvented or undermined
