Align to a Framework: Plan a Cybersecurity Roadmap's Route


Map Your Route Step 2  Align to a Framework
In a previous blog post, Tony Sager explained how knowing your needs helps you get packing for a cybersecurity roadmap. This is essential whether you’re creating a roadmap for your organization and/or whether you’re working with your clients to meet their needs.

Once you have an idea of where you are, you can plan the route for where you want to go. A security framework is invaluable for this type of work. In this blog, I will discuss what you stand to gain from aligning your cybersecurity roadmap to a security framework. I also explain how the Center for Internet Security (CIS) can help you at this stage.

Quote from Sean Atkinson CIS Chief Information Security Officer

The Value of Using a Framework

Just so we’re clear, a framework is a well-traveled roadmap. Based on its construction, it can simply be a guide along your cybersecurity roadmap or define the route to be traveled. Some common examples include the Payment Card Industry’s Data Security Standard (PCI DSS), the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and the European Union’s General Data Protection Regulation (GDPR). Our security best practices map to all these and many more, as is evident in the image below.

This chart describes the frameworks provided with CIS Controls Mapping

The advantage of aligning your or your customer’s cybersecurity roadmap to a security framework is defining a route to follow using established security best practices. Think of it as referencing guideposts along your cybersecurity journey. They make it easier to reach a secure destination.

It follows that not using a framework to plan out your cybersecurity roadmap can be difficult. The challenge of doing this without a framework is twofold: one, where to start; and two, what to include.

From a starting perspective, a good set of controls may include an implementation guide or provide a best practices document. A number of organizations provide these; other supporting organizations will also contribute in this space. From an inclusion standpoint, this can be very context-dependent for a respective organization, but generally, a set of security best practices from CIS or NIST provide a comprehensive plan that can be applied across multiple industries and businesses.

Without a security framework, you deprive yourself of learning from and applying this group experience to your individual case. Many other organizations are going through the same process you’re going through. This is especially apparent if you’re a consultant. Using their example, you can streamline your own journey so that you avoid certain potholes and smooth out what you can.

Exercising Care When Using a Framework

If you decide to align your cybersecurity roadmap to a security framework, it’s important to keep in mind certain considerations.

The first is applicability to the organization’s mission. Cybersecurity is a business risk and should be seen as such throughout an organization. With this in mind, the management of security controls is context-rich. It’s a process of managing threats and mitigating risks when applying both a best practice and an achievable level of control.

The caveat to this pervious statement is “achievable.” It should be contextualized with respect to the risk an organization faces and the level of control implemented to mitigate the risk.

It also behooves us to think about how much control is needed to manage a risk appropriately. Too much control may inhibit business. This may get us into a situation where we’re dealing with a phenomenon Tony calls the “Fog of More." We’re over-burdened by security tools and technologies such that our ability to manage threats and mitigate risks begins to suffer. On the other hand, too little control may give a false sense of security. We need the right balance.

The Need for Robust Security Frameworks

Given the challenges discussed above, it’s important that you use a robust framework for planning the cybersecurity roadmap's route for yourself or helping your customers come up with a roadmap that works for them. Not all security frameworks are created equally, after all.

Specifically, you can look to the CIS Critical Security Controls (CIS Controls) Navigator and the CIS Community Defense Model (CDM) v2.0. They both use a consensus-based and operational focused-approach that provides actionable controls for organizations to follow.

When introducing CDM v2.0, for instance, Implementation Group 1 (IG1) of the CIS Controls provides the short-term stops on the roadmap for implementation. Aligned with the context of CDM v2.0, organizations can now utilize prioritization of the IG1 Controls based on identified attack patterns against organizations in the same or close to the same industry vertical. What happens is you get to implement Controls in a way that effectively reduces your exposure to common threats.

Here's more information on how you can use the CDM to design a cyber defense program.


Meanwhile, the Controls Navigator helps organizations visualize how the CIS Controls map to other security frameworks. In that way, they can use the CIS Controls to decide how best to align their cybersecurity roadmap to a framework.

The CIS Controls, the CIS Controls Navigator, and the CDM are available at no cost to users everywhere. But there’s even more you can do with the CIS Controls via a CIS SecureSuite Membership. It comes with benefits, tools, and resources that you can use to prioritize and track your implementation of our security best practices. This helps you go deeper with your cybersecurity roadmap, all while saving time and effort.

Now through April 30, you can save up to 20% on a new CIS SecureSuite Membership using promo code CYBER2023. Check out our promo terms to learn more.

Simplify Your Use of a Framework

By using a security framework, you can plan out the route for your cybersecurity roadmap according to guideposts that others before you have set. In the process, you’ll be able to make meaningful progress when it comes time to begin implementing your roadmap. Tony will talk about this in our next blog post.

Remember that CIS SecureSuite gives you benefits, resources, and tools to make it even easier for you to make use of a security framework.

Sean Atkinson
Chief Information Security Officer

Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.

Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.

Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.

In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.