From Facebook to Capital One, high-profile data breaches affecting hundreds of millions of people have become alarmingly commonplace. It should come as little surprise, then, that the United States is beginning to follow the lead of the European Union in creating laws to protect the sensitive consumer info that’s so often compromised in those breaches.
Such laws are just the latest incentive for businesses to implement a comprehensive data security program to ensure that they’re prepared in the event of a breach. And for organizations that may be behind the curve on this matter — which amounts to roughly 7 in 10 U.S. businesses, according to a 2017 survey — the best place to begin is with the implementation of a cybersecurity framework (CSF).
Yet choosing the right cybersecurity framework is no small task. The first step is to distinguish between CSFs that are comprehensive, and those that are designed to achieve a specific objective. The latter category includes such frameworks as the Health Information Trust Alliance (HITRUST), which is used in healthcare, and the Cloud Security Alliance Cloud Controls Matrix (CCM), specific to cloud computing.
For most businesses, though — particularly those that are modest sized, or not operating in a highly regulated industry like healthcare or finance — it makes more sense to begin with the first category. In fact, almost every industry-specific CSF is a hybrid built on the foundation of a more comprehensive cybersecurity framework.
With that in mind, let’s take a look at the leading types of comprehensive cybersecurity frameworks, and how they stack up against one another.