Align to a Framework: Plan a Cybersecurity Roadmap's Route

 

Map Your Route Step 2  Align to a Framework

In a previous blog post, Tony Sager explained how knowing your needs helps you get packing for a cybersecurity roadmap. This is essential whether you’re creating a roadmap for your organization and/or whether you’re working with your clients to meet the needs of their business and industry.

 

Once you have an idea of where you are, you can plan the route for where you want to go. A security framework is invaluable for this type of work. In this blog, I will discuss what you stand to gain from aligning your cybersecurity roadmap to a security framework. I also explain how the Center for Internet Security® (CIS®) can help you at this stage.

 

Quote from Sean Atkinson CIS Chief Information Security Officer

The Value of Using a Framework

Just so we’re clear, a framework is a well-traveled roadmap. Based on its construction, it can simply be a guide along your cybersecurity roadmap, or it can define the route for you to travel based on the unique threats and vulnerabilities confronting organizations in a particular industry. Some common examples include the Payment Card Industry’s Data Security Standard (PCI DSS) v4.0, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) v2, and the Health Insurance Portability and Accountability Act (HIPAA).

Our security best practices map to and/or are referenced by all these and many more, as shown in the image below.

This chart describes the frameworks provided with CIS Controls Mapping

The advantage of aligning your or your customer’s cybersecurity roadmap to a security framework is defining a route to follow using established security best practices. Think of it as referencing guideposts along your cybersecurity journey. They make it easier to reach a secure destination and fulfill your compliance objectives along the way.

It follows that not using a framework to plan out your cybersecurity roadmap can be difficult. The challenge of doing this without a framework is twofold: one, not knowing where to start; and two, not knowing what to include.

From a starting perspective, a good set of controls may include an implementation guide or provide a best practices document. A number of organizations provide these; other supporting organizations will also contribute in this space. From an inclusion standpoint, this can be very context-dependent for an organization, the data they store, and the industry they're in, but generally, a set of security best practices from CIS or NIST provide a comprehensive plan that can be applied across multiple industries and businesses.

Without a security framework, you deprive yourself of learning from and applying this group experience to your individual case. Many other organizations are going through the same process you’re going through, especially if you belong to the same industry. This is also apparent if you’re a consultant. Using their example, you can streamline your own journey so that you avoid certain potholes, smooth out what you can, and consider pertinent regulations when conducting risk assessments and implementing security controls.

Exercising Care When Using a Framework

If you decide to align your cybersecurity roadmap to a security framework, you need to keep in mind certain considerations.

The first is applicability to your organization’s mission. Cybersecurity is a business risk and should be seen as such throughout your organization. With this in mind, the management of security controls is context-rich. It’s a process of managing threats and mitigating risks when applying both a best practice and an achievable level of control.

The caveat to this pervious statement is “achievable.” It should be contextualized with respect to the risk your organization faces and the level of control implemented to mitigate the risk.

It also behooves us to think about how much control is needed to manage a risk appropriately. Too much control may inhibit business. This may get us into a situation where we’re dealing with a phenomenon Tony calls the “Fog of More." We’re over-burdened by security tools and technologies such that our ability to manage threats and mitigate risks begins to suffer. On the other hand, too little control may give a false sense of security. We need the right balance.

The Need for Robust Security Frameworks

Given the challenges discussed above, it’s important that you use a robust framework for planning the cybersecurity roadmap's route for yourself or helping your clients come up with a roadmap that works for them. Not all security frameworks are created equally, after all.

Specifically, you can look to the CIS Critical Security Controls® (CIS Controls®) Navigator and the CIS Community Defense Model (CDM) v2.0. They both use a consensus-based and operational focused-approach that provides actionable controls for your organization to follow.

When introducing CDM v2.0, for instance, Implementation Group 1 (IG1) of the CIS Controls provides the short-term stops on the roadmap for implementation. Aligned with the context of CDM v2.0, your organization can now prioritize the IG1 Safeguards based on identified attack patterns against organizations in the same or close to the same industry vertical. What happens is you get to implement Controls in a way that effectively reduces your exposure to common threats.

Here's more information on how you can use the CDM to design a cyber defense program.

 

Meanwhile, the Controls Navigator helps your organization visualize how the CIS Controls map to other security frameworks. In that way, you can use the CIS Controls to decide how best to align your cybersecurity roadmap to a framework that's relevant to your needs.

The CIS Controls, the CIS Controls Navigator, and the CDM are available at no cost to users everywhere. But there’s even more you can do with the CIS Controls via a CIS SecureSuite® Membership. It comes with benefits, tools, and resources that you can use to prioritize and track your implementation of our security best practices. This helps you go deeper with your cybersecurity roadmap, all while saving time and effort.

Simplify Your Use of a Framework

By using a security framework, you can plan out the route for your cybersecurity roadmap according to guideposts that others before you have set. In the process, you’ll be able to make meaningful progress when it comes time to implementing your roadmap. Tony will talk about this in our next blog post.

Remember that CIS SecureSuite gives you benefits, resources, and tools to make it even easier for you to make use of a security framework.


Sean Atkinson
Chief Information Security Officer

Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.

Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.

Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.

In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.