A structured approach is essential to any undertaking, especially those highly complex in nature. When building a home, a buyer would expect a design that illustrates the structural design of the house and the facilities that work to make the home livable. Why not take the same approach when designing security methods for your organization? 

I have a mentor that consistently says cyber without standards is like a footballer trying to score by running from sideline to sideline. 

Could you imagine Neymar doing such a thing? Nope! He aims to score, and so should you! 

This write-up will examine cybersecurity frameworks and their utility when developing or improving a security program. I view them as a map toward adequate security, and no one starts a journey without a destination in mind! 

What is a Cybersecurity Framework? 

Let's start by defining the term framework: 

Framework in Software Engineering is defined as: 

Abstraction in computer programming is the process of removing spatial or temporal details to provide generalizations that simplify the arrangement of a design. A framework can be best defined as a tool that allows software development and systems creation in computer programming. 

That was a mouthful, but it had to be said! Now we can move on to what makes sense! 

Cybersecurity frameworks are leveraged to provide guiding principles for security architecture design. As an example: 

The NIST Cybersecurity Framework sets forth the following guiding principles or specific functions that a security organization should perform. They are as follows: 

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover 

As you can see, at a high level, these functions allow any person to communicate the main objectives of their cyber program if they are aligned to the NIST CSF. 

What is The Importance of Following a Cybersecurity Framework? 

The most critical component of any framework is its acceptance being industry-wide. If you were to ask most cyber professionals which is the most secure operating system, they would quickly answer Linux-based systems. Further, they would soon state that it's open-source, which drives continuous improvement and expert collaboration. 

These facts, including tailorability, make frameworks very powerful. The impacts range from operating systems to data management systems and, finally, cybersecurity programs! 

Another important reason for leveraging frameworks is communicating using the same language when identifying the organization's needs. 

Let's look at one of my favorite examples related to communications!

Assess Program Maturity

As a Cyber Leader, you are tasked with assessing the maturity of the current program. Like the genius you are, you leverage the Capability Maturity Model developed by the Capability Maturity Model Institute (CMMI) scoring methodology for completeness. 

As a result, the cybersecurity group of your company's maturity level is categorized as level 2 - Managed. 

• Level -2 Managed is defined as: Projects are planned, performed, measured, and controlled.

Managed can mean many different things depending on the audience. For instance, the IT team could say, makes sense! We are getting our work done, so there are no issues whatsoever. In contrast, executive leadership might look at a rating of Managed as the work is getting done with areas in which current processes could gain efficiencies. 

Of course, in this case, management would be precisely correct. Why? Because the next level of maturity, Level-3 Defined is described as: 

Having Organization-wide standards that guide projects, programs, and portfolios. 

The final and most crucial reason for leveraging cyber frameworks while developing your program is the need to establish Cybersecurity Governance. You might be a rebel with a cause like me, but I'm sure you will agree that governing structures are essential to any organization, especially those deployed with the express intent to protect. 

Imagine your country without a government! As bad as you may think the country is, it would be a million times worse without a government maintaining some semblance of order! 

Let's define IT Governance before we move forward, and before you get all uptight, run a command to replace IT with Cyber; 

For reference: 

23rdEnigMa@cystratergy$: echo "The IT Governance definition is the same as IT Governance" | sed 's/IT/Cyber/' 

IT Governance: is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

What is the point of having rules developed to protect the organization if no group is tasked with enforcing those ideals? 

There isn't any! 

By leveraging a framework, an organization's leadership has a metric by which it can tally the performance of its mandates. The governing body will eliminate the idea of 'Security through Obscurity,' an unsightly plague that has brought many an enterprise to its knees! 

Why are Frameworks and Standards Avoided?

I believe that I have already eluded as to why frameworks are consistently discounted, but I don't mind going into it again.

Frameworks make any exercise measurable, even the so-called complex area of cybersecurity. With them, an organization can accurately predict its company's adherent risk. 

You might be thinking he speaks so confidently regarding this, like he is sure. Well, I am! 

Keep in mind that the framework is not intended to prescribe security measures. This is mainly because organizations are different, and so is the technology they use to provide products and services to the public. 

Let's use a category from the NIST Cybersecurity Framework as an example: 

[ID.AM-3] ID (Identify).AM ( Asset Management)-3: Organizational communication and data flows are mapped 

Quick question: Does your organization have a boundary diagram illustrating external information systems? If the answer is, we have some. 

You have some. 

If the answer is Yes, we have detailed them all your organization is a rockstar. If the answer is that we have none, then this capability is non-existent within your organization. 

What can be inferred from these answers? Let's cover just partial and non-existent as they are the most common states: 

Partial: Your organization is partially aware of the flow of information outside of its organization, which means that it has partial control of its data, critical or noncritical. 

Non-existent: Your company has not identified where interconnections occur between information systems external to the organization, and as a result, it can be accurately concluded that your company has no control over data exiting its boundary, critical or noncritical. 

Does this control matter? Whether the control matters is a topic for another day, but it should be clear that the framework gives any company a frame of reference regarding protections for data exiting its domain! 

Conclusion: 

Frameworks bolster cybersecurity programs by giving them structure, a common vernacular, providing methods for measuring success and failure. Without them, cybersecurity organizations most always revert to a security by obscurity methodology, which fails to communicate value to their business stakeholders. 

I'd love to hear your thought on the topic! What is your favorite framework? Do you think they suck? If so, why? 

Till next time, remember to offer cyber solutions that put business First!