Selecting the Right Security Framework

a roadmap for your journey

There are a number of frameworks worth your consideration, but which model is best for you? Let’s discuss practical steps you can take that will aid you on this journey.1. Assess your needs and goals - How can you select a model if you haven't documented your organization's goals, risk tolerance (this is a big one), and your access to resources, which is difficult in the current labor market?2. Understand industry regulations - This will weigh heavily on your decision. Simply, you can't adopt a framework that doesn't address the regulations that you're bound to. For example, if you're pursuing CMMC compliance you'll become friends with NIST 800-171.3. Evaluate available frameworks - There are a number of worthy frameworks for consideration, such as NIST, ISO 27001, CIS. Compare options and align with your business' goals, y'all.

4. Resource allocation and size - If you're a billion dollar business, you naturally have more resources at your disposal than an SMB organization. With that being said, many orgs run lean in the security department. If you're SMB with a single IT resource, perhaps you should select a framework that's achievable. 5. Perform a risk assessment- Why would you select a framework BEFORE you understand your organization's risk? A simple assessment will help you identify gaps. 6. Customization - Each business is unique in terms of market served, infrastructure, workforce placement and unique risks created by a multitude of data points. Select a framework that you can customize to your needs.

7. Ease of implementation - Security isn't easy, but you can further complicate the matter if you fail to evaluate whether your organization has the resources and capabilities to implement and maintain a framework. Honesty is crucial. 8. Include stakeholders - IT decisions can't be made in a bubble; that creates shadow IT and increased attack surfaces. Security is the duty of the entire organization. 9. Money - Security isn't cheap, but it's worth it. The average cost of a breach is measured in millions, and nobody wants to be featured on the news. With that being said, you must map your framework to your allocated budget. This includes the cost of implementation AND the cost to maintain.

10. Training and education - If your team doesn't have the necessary skills to pull this off, you have to invest in training. You'll also need to plan for ongoing training to ensure you maintain. Security is not stagnant. 11. Continuous improvement - Is it possible that the framework you select can encourage continuous improvement? I'd like to think so. It can certainly be woven into the fabric of your security culture. 12. Test drive - If you find yourself in a hole, stop digging. Not all organizations will enter a pilot phase, but it could be beneficial for your organization.

Selecting a framework can be an overwhelming task for organizations; that’s why we’re here to help. Our team of seasoned security verterans can help perform an initial assessment and provide a roadmap to get started. There a number of low/no-cost steps you can take to improve your security posture, which is why we wrote this article that helps on your journey.