From Facebook to Capital One, high-profile data breaches affecting hundreds of millions of people have become alarmingly commonplace. It should come as little surprise, then, that the United States is beginning to follow the lead of the European Union in creating laws to protect the sensitive consumer info that’s so often compromised in those breaches.
Such laws are just the latest incentive for businesses to implement a comprehensive data security program to ensure that they’re prepared in the event of a breach. And for organizations that may be behind the curve on this matter — which amounts to roughly 7 in 10 U.S. businesses, according to a 2017 survey — the best place to begin is with the implementation of a cybersecurity framework (CSF).
Yet choosing the right cybersecurity framework is no small task. The first step is to distinguish between CSFs that are comprehensive, and those that are designed to achieve a specific objective. The latter category includes such frameworks as the Health Information Trust Alliance (HITRUST), which is used in healthcare, and the Cloud Security Alliance Cloud Controls Matrix (CCM), specific to cloud computing.
For most businesses, though — particularly those that are modest sized, or not operating in a highly regulated industry like healthcare or finance — it makes more sense to begin with the first category. In fact, almost every industry-specific CSF is a hybrid built on the foundation of a more comprehensive cybersecurity framework.
With that in mind, let’s take a look at the leading types of comprehensive cybersecurity frameworks, and how they stack up against one another.
Comparing Comprehensive Cybersecurity Frameworks
NIST Cybersecurity Framework
Summary
Offering detailed guidance on everything from risk assessment and continuous monitoring to incidence response and awareness training, NIST is considered the gold standard of CSFs, offering not only a comprehensive plan for data protection and risk mitigation but also a methodology for limiting the impact of adverse events. It’s also available in a variety of different versions to meet the needs of various industries and areas of emphasis.
How It Stacks Up
Businesses using the NIST can be confident that they’re implementing a framework that’s not only flexible and customizable, but also regularly updated and government approved, leveraging the collective wisdom and unique insights of the nation’s federal resources. Moreover, NIST offers a simpler alternative through NIST.IR 7621r1, intended as a “crawl before you walk” cyber guideline that can be a good precursor to the more elaborate NIST family. Another bonus of the NIST is the vast library of resources available for those who use it.
Will It Work for Your Business?
NIST is designed to be adaptable to a wide variety of different needs and is regularly updated to meet the evolving needs of cybersecurity. Yet because it’s so comprehensive, some more modest-sized organizations may also find it intimidating in scope, and resource-intensive to keep up with, often requiring expert guidance for implementation.
ISO 27000 Cybersecurity Framework Series
Summary
Simultaneously broad in scope and comprehensive in detail, the cybersecurity standards of the ISO are designed to help organizations ensure a level of data privacy and confidentiality that not only helps them avoid prosecution, but also to maximize operational efficiencies through the reduction of vulnerability to disruptive attacks.
How It Stacks Up
The ISO series is a truly international framework, designed to accompany decades-old ISO standards for quality assurance in other areas like manufacturing (ISO 9000) and environmental protection (ISO 14000). Like NIST, the ISO series offers various subsets (i.e., ISO 27799, defining standards for healthcare), which could reduce the need for developing hybrid frameworks.
Will It Work for Your Business?
Because the EU has much stricter data protection standards than the U.S. (at least, so far), businesses that have any international operational footprint may be wise to consider using the ISO as a foundation when building their cybersecurity framework.
CIS® Cybersecurity Framework
Summary
With an emphasis on protecting against the most prevalent cyberattacks and mitigating the effects of breaches, the CIS model provides a straightforward framework of actionable defense mechanisms designed to ensure that appropriate personnel are accessing appropriate data and assets within an organization.
How It Stacks Up
Offering relative operational simplicity and an emphasis on protection and mitigation, the CIS is perhaps more focused than the NIST or ISO, yet no less reliable. (The NIST uses CIS standards in several of its data protection standards.)
Will It Work for Your Business?
Because it was designed by high-level IT professionals rather than regulators or administrators, the CIS framework is viewed by many as being the most practical CSF. In addition, its focus on defense and mitigation is valued by organizations with a need to quickly address risk and to develop resiliency against potential cyberattacks.
COBIT Cybersecurity Framework
Summary
The COBIT framework offers a tool for managers to assess risks and shore up weak spots from a big-picture perspective — in essence, it’s a more simplified CSF that’s designed to provide a means for ensuring data security while avoiding the wasted resources that come from organizational confusion and the duplication of efforts.
How It Stacks Up
Though not bearing the same clout as the ISO or NIST, the COBIT framework has a comparable legacy, dating back to 1996. Though it’s designed to be agile and efficient, COBIT has also been criticized for its simplicity, as well as a perceived tendency to cause stakeholder avoidance rather than nurturing the organization-wide embrace of accountability that cybersecurity requires.
Will It Work for Your Business?
Used globally, COBIT offers standards that are recognized by a number of international organizations, and can be used confidently by organizations across all industries. But more important than this may be its accessibility, with a design that strives to connect the on-the-ground realities of running a business with the goals of effective cybersecurity governance.
Which Cybersecurity Framework Is Best for Your Business?
For businesses that aren’t tech-savvy, learning more about cybersecurity frameworks can often be more confusing than enlightening. Even if you’re confident that you know where to begin, it’s still a good idea to seek expert assistance – attempting to implement a CSF without professional guidance is comparable to going to trial without the help of an attorney.
We can help provide the expertise you need to ensure that your cybersecurity efforts meet today’s regulatory and commercial demands. Contact us here to set up a complimentary consultation with an Omnistruct cybersecurity specialist.
Cybersecurity Definitions
It almost seems like you need to learn a new language when talking about protecting your organization from cyberattacks. Want to know what a Wi-Fi Pineapple is or need to learn more about the threats you and your business face? We have you covered. Learn all about hacking, phishing, malware, spyware, ransomware, scareware, and more.