Introduction
Key Takeaways
How to choose the right cybersecurity framework for your organization
As a growing number of organizations are affected by cybercrimes across a range of industries, it may never be more imperative for your organization to adopt cybersecurity best practices to protect against these attacks.
But how do you know which framework and practices are best for your organization? Where do you begin if you have no cybersecurity program or an immature one? How do you mature your existing practices to strengthen your cybersecurity posture?
In a recent webinar with Apptega, Bhavesh Vadhani, Principal of Cybersecurity, Technology Risk, and Privacy, and Daryouche Behdoudi, Managing Director of Cybersecurity, Technology Risk, and Privacy, both of CohnReznick, an advisory, assurance, and tax firm, spoke about some of the benefits of these practices, specifically taking a deeper dive into the NIST Cybersecurity Framework (NIST CSF) and the Center for Internet Security’s (CIS) Critical Security Controls version 8 and how they can help organization’s support their cybersecurity goals.
First, what is NIST CSF?
NIST CSF: The NIST Cybersecurity Framework (NIST CSF) is a set of standards outlining cybersecurity best practices. Created by the National Institute of Standards and Technology (NIST), this framework can help your organization measure and manage your cybersecurity risk, while aligning your cybersecurity practices to your organization’s business goals.
NIST manages several other frameworks as well, for example, NIST 800-53 and NIST 800-171.
NIST CSF is a voluntary framework and does not require formal certification. Instead, your organization can choose which NIST standards are applicable for your current security profile, and then add additional standards later as you work to close gaps and improve your cybersecurity maturity.
NIST CSF became public in 2014 as part of a NIST private-sector and government partnership responding to the 2013 Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”. In 2014, Congress formally ratified the standards in the Cybersecurity Enhancement Act of 2014.
Your organization may consider adopting NIST CSF as a way to help identify cyber risks and make plans to address them as they relate to your business goals and objectives.
NIST Cybersecurity Framework is made up of three areas: the core, implementation tiers, and profiles.
With the NIST CSF core, there are five functions that align directly with the cybersecurity lifecycle: identify, protect, detect, respond, and recover. These serve as pillars for CSF.
Each of the five core functions has requirements representing 23 categories. There are additional sub-categories as well.
Would you like to take a closer look at these core functions? Check out our NIST CSF Fundamentals page for an in-depth look.
There are four implementation tiers:
Tier 1: Partial
- Cybersecurity activities are not directly informed by risk objectives, business requirements, or threat landscape.
- Activities are ad hoc and reactive.
Tier 2: Risk-Informed
- Cybersecurity activities are directly informed by your risk objectives, business requirements, or threat landscape.
- Activities are piecemealed.
- Some risk awareness, but not proactive.
Tier 3: Repeatable
- Cybersecurity activities are updated when applying risk management processes to your changing business requirements and threat landscape.
- You’ve implemented these activities throughout your organization.
- Activities are repeatable in response to cyber events.
Tier 4: Adaptive
- Cybersecurity activities are built into organizational culture
- Complete adoption of the NIST CSF framework.
- You can respond to cyber events.
- You take proactive steps to detect issues.
- You can respond to threats based on trends and other relevant risk information.
The final NIST CSF component is the profile, which helps you align your objectives, goals, risk appetite, and resources to a CSF score. This is your current profile. From there, you can evaluate your current profile to your target profile (how mature you want your cybersecurity program to be) and apply additional elements from CSF to get to that profile.
To be fully NIST CSF compliant, you would need to demonstrate you’ve implemented all of the controls and subcontrols through implementation tier 3. This includes the ability to proactively
While NIST CSF got its start as a risk-based framework for organizations dealing with critical infrastructure in the United States, today it is one of the most highly implemented security frameworks worldwide for both government and the private sector.
What is CIS v8?
CIS v8: CIS v8 is a set of cybersecurity standards representing best practices from the Center for Internet Security. This framework is older and more prescriptive than NIST CSF. According to CIS, the CIS V8 controls are “mapped to and referenced by multiple legal, regulatory, and policy frameworks.”
The goal of the CIS framework is the help your organization identify and respond to cyber threats. There are 18 controls in CIS v8, compared to 20 that were in CIS v7. The 18 CIS v8 controls cover:
- 1. Inventory and Control of Enterprise Assets
- 2. Inventory and Control of Software Assets
- 3. Data Protection
- 4. Secure Configuration of Enterprise Assets and Software
- 5. Account Management
- 6. Access Control Management
- 7. Continuous Vulnerability Management
- 8. Audit Log Management
- 9. Email and Web Browser Protections
- 10. Malware Defenses
- 11. Data Recovery
- 12. Network Infrastructure Management
- 13. Network Monitoring and Defense
- 14. Security Awareness and Skills Training
- 15. Service Provider Management
- 16. Application Software Security
- 17. Incident Response Management
- 18. Penetration Testing
Your organization has some leeway in how it applies these security controls within a flexible framework. There are three implementation groups (IG) outlined in CS V8. Each of these groups, according to CIS, is based on an organizational risk profile and available resources to implement the CIS Controls.
Within each implementation group, there are a series of safeguards. These safeguards were previously called CIS sub-controls. There are 153 safeguards in v8.
CIS recommends every organization begin with implementation group 1, which it considers to be essential cyber hygiene. These practices can be used as a foundation for your cybersecurity program. From implementation group 1, your organization can then build on to IG 2 and then IG 3 to mature your cybersecurity posture.
Framework Commonalities
NIST CSF and CIS V8 frameworks are complementary. The core difference is that CIS V8 is more prescriptive, whereas NIST CSF provides more security objectives that you can reach at your own pace (compared to CIS-specific implementation groups).
Both frameworks can help your organization manage cybersecurity risk and enhance the cybersecurity maturity of your environment.
Why are they important? It’s all about identifying and reducing cyber risks. As we continue to operate in a connected economy—one where our organizations and systems are increasingly more connected—we have a larger attack surface with more ingress and egress points. That means more opportunities for cyber-attackers to successfully breach your enterprise. These frameworks can help you better understand how to protect your environment. Think of both as guiding statements, but one where CIS has a more detailed how-to.
Although the CIS framework has been around longer than the NIST Cybersecurity Framework, it has evolved a lot over the years. When NIST CSF came out, CIS began to align closer to CSF standards.
Framework Differences
At a high level, NIST CSF is risk-based guidance. It’s driven more from a federal contract base.
Whereas CIS V8 is a more maturity-driven framework.
CSF provides security objectives. Essentially, it helps your organization think about its risk and then helps point you in the right direction to better understand how to identify and respond to these risks, for example, in terms of access control, response, authentication, etc. It provides you with information to help you look at all of your critical assets, and then apply NIST CSF guiding statements to those assets.
Conversely, CIS is more explicit. It doesn’t just give you a generalized objective. It provides you with explicit control, which is worded in such a way you understand how to adopt and implement it.
Basically, CIS V8 eliminates ambiguity some may see in NIST CSF. There’s no guessing game.
Also, unlike CIS, CSF doesn’t address maturity. You can apply all of the standards or apply a few within the framework based on your organization’s needs and goals.
How to Choose Which One is Best for Your Organization
In terms of which framework is better, the answer depends on your business model and industry. For example, if you’re a contractor for critical infrastructure CSF may help you align your cybersecurity program in a way that you’re speaking the same language with the government. And, it relates back to NIST standards, so it’s easy for government agencies to understand what you’re doing with your cybersecurity program.
If you’re a non-government contractor, CIS could be a better option. That’s because of its flexibility and specific guidance. For example, if you’re a small business and don’t have a lot of resources, you could establish your cybersecurity program by implanting controls for IG 1. There’s no guesswork about what you need to do. Just checklist apply the requirements.
Some organizations may see the benefits of both frameworks and may not be sure which is a better fit. So could you use both? The answer is yes. That’s especially helpful if you’re using a resource such as Apptega’s Harmony tool, which can help you crosswalk your controls and frameworks against one another. You may find you already have practices in place for one framework that work effectively for another.
Implementing both NIST CSF and CIS V8 for your organization may help you identify and remediate gaps in areas one framework misses but is covered by the other. This is another way to improve your cybersecurity program’s maturity and effectiveness.
The reality is, that no framework can be counted on to provide 100% coverage for every risk. There’s no hindrance from cross-walking multiple frameworks for added security confidence.
Another benefit of Apptega here is that it provides a central repository so you can keep up with everything you need, even as your frameworks overlap and evolve. It enables you to crosswalk those existing controls, but also add new controls so you always have instant insight into how you’re meeting your framework and control objectives. This is something critically important to program success, but can easily be overlooked if you’re managing your program manually, for example, through spreadsheets or word processing documents.
Where to Begin
If you don’t have a cybersecurity framework in place and you aren’t sure which is the best for your organization, it’s helpful to start with a closer look at your business strategy and objectives.
From there, develop a cybersecurity strategy that aligns your IT goals with your organizational goals, one that helps identify exactly what you want to accomplish. With this insight, you can better choose a framework that aligns with those common goals.
Unfortunately, many organizations don’t have the time or resources to do this. That’s why it may be helpful to work with a third-party that can help you work through this critical process.
Remember, it’s rare to find a framework that meets all of your objectives. At the same time, not all objectives can align with a framework. When this happens, your beginning may very well just be establishing the foundation of your program. From there, you can work with the frameworks to apply additional controls and fill identified gaps.
Another important step to get you off the ground adopting and implementing a cybersecurity program is the understanding across your organization that cybersecurity is no longer an IT-only issue. It’s a business issue with actual business impact. That impact isn’t just in terms of finances, but also may affect your organization’s ability to operate. It can affect how you function, so you need to adopt a framework that supports your critical operations now and also as you scale.
Other Frameworks
While NIST CSF and CIS V8 are both popular and industry-recognized best practices, there are other frameworks that your organization may need to consider.
For example, ISO 27001, is widely accepted and recognized, especially by international organizations. It’s a great framework for global organizations to consider.
There are other frameworks that are either data-type or industry-specific that may be applicable to your organization or, in some cases, you may be required to meet the compliance specifications of those frameworks.
For example, if your organization handles credit card data, you might be subject to PCI DSS standards. Or, if your organization accesses personal health information (PHI), you may need to adopt a HIPAA framework to ensure compliance.
CSF, CIS, ISO are among the most well-known, as compared to more data or industry-specific standards.
Most organizations have multiple frameworks and standards they must comply with. In many instances, these are derivatives of CSF, CIS, or ISO.
If you’re unsure of which frameworks you’re mandated to adopt based on your organization’s line of business, contact an Apptega advisor today. We’ll be happy to help. Or, consider stopping by Apptega’s CyberXchange Marketplace to connect directly to framework-specific resources and tools.
Risks of Not Adopting A Framework
Some organizations ask if it’s OK to create their own framework. The answer is, yes. You can and some organizations do. You don’t have to adopt one framework. Instead, you can develop a common control framework by choosing applicable controls from a range of established frameworks.
However, you may want to approach this with some caution. That’s because when you don’t have a standard framework to work from, your processes may become incredibly ad hoc and inconsistent. When this happens, program direction may require a lot of additional guidance or support that’s not readily available. It could make it more difficult for others to know how to apply your framework consistently across the enterprise.
In a recent Apptega webinar, we asked attendees which framework(s) their organization is currently following and discovered:
47% - NIST CSF
35% - CIS v8
15% - ISO 27001
18% - No framework
15% - Others
Developing your own framework is often more maintenance-driven, requiring more resources than you might initially anticipate. It also limits you from having the ability to measure your program against existing standards to identify security weaknesses and mature your security posture over time.
In general, universal frameworks are more comprehensive. They’ve been tested and adopted, with the goal of covering a range of A to Z. Some components could be missing, but these established frameworks are constantly evolving. If you’re using a custom framework instead, you could fall short on coverage when your enterprise evolves. For example, if you built your framework around your existing on-premises assets, what happens when you move to the cloud or adopt a hybrid work environment?
Most industry-recognized frameworks today are environment agnostic and can be applied across a variety of environments. They also often closely align with what’s seen in the evolving marketplace.
While there are some risks associated with custom frameworks, remember the greatest risk for your organization is not following any framework at all. Without the support of a best practice framework, you may not know about all the risks that need your attention. You may know about risks from a high level—that confidentiality, integrity, and availability perspective—but your attack surface will keep expanding. You’ll routinely encounter new exposures, not just internally within your organization, but throughout your supply chain as well. A growing number of successful cyber breaches today originate within the supply chain.
Many organizations who have custom frameworks are seeing the extra burden they create and most will choose to eventually shift to a core framework such as NIST CSF or CIS V8 and stick with it.
Do you need help identifying your critical assets and core functions and aligning your cybersecurity practices to your business needs? Contact an Apptega advisor and we’ll be happy to help or check out a demo of Apptega to learn more about how it can help you simplify framework management, regardless of which—or how many—your organization uses today and as you scale.