The Allinial Global Firm Tech Community held a “debate” at its July meeting asking this exact question.
Three panelists, each presenting a security framework, shared information about their framework and what differentiated it from the others during this fun and informative meeting. Matt Huff, CISSP, Chief Information Officer & Senior Information Security Architecture and Assurance Advisor at Tanner LLC, represented the ISO 27001 framework and moderated the panel. John Prost, Director of IT at Wipfli LLP, represented the CIS framework. Pete Rife, CISSP, CISA, CDPSE, Director of Technology Risk & Assurance Practice at Holbrook & Manter, Inc., represented the NIST framework.
Differentiated Aspects of Each Framework
When asked if their particular framework was a good fit, each person shared the following points.
- CIS (Prost): CIS is a good starting point for smaller companies or those just starting out. There are only 18 controls to work with, and they include 153 underlying safeguards to help reduce risk in a lot of areas. It’s also refreshed often, so it’s the most up-to-date against current threats. There is also a free controls assessment tool to help people get started. CIS provides a mapping to NIST, so it’s easy to cross-reference the two.
- NIST (Rife): NIST is well organized and is a pretty exhaustive list because it was originally created to help protect the critical infrastructure in the US. However, since then it has been generalized and also widely adopted.
- ISO (Huff): ISO has international considerations built into it, and it is also industry agnostic. It isn’t as controls-based as NIST or CIS, but rather is more focused on a system of management over the cybersecurity area. ISO isn’t super prescriptive and has a focus on risk assessment and mitigation—which is important because a company needs to understand its risk profile. One drawback is that ISO isn’t updated as frequently (the last update was in 2013, but a new version is expected soon), so you would probably need to use it in conjunction with NIST or CIS. You also have to pay to obtain a license for the PDF describing the standard.
Using a Framework to Improve What You’re Already Doing
If you’re not already using a framework, the panelists agreed that you should consider adopting a framework to help improve what you’re already doing. They said that the frameworks provide a good checklist to ensure that you’re addressing a holistic picture of cybersecurity. Other tips provided by the panelists include:
- Rife: Remember that cybersecurity is a not a destination; it’s a journey. You will never stop improving, but continually seek to improve what you’re doing.
- Prost: Ensure you have buy-in from the leaders of the company on how you plan to implement the framework and its associated controls and impact on end users.
- Huff (responding to Prost’s comment): Be careful of creating an “us” (IT team) versus “them” (management) mentality. IT’s job is to help management understand the risks and how the controls mitigate the risks, and then have management determine the acceptable level of risks (risk tolerance or appetite).
- Huff: Keep in mind that you have to assess risk and reduce risk to an acceptable level. You can’t eliminate IT risk—the only way to do that is to unplug all the computers and go outside.
Cybersecurity Framework Versus Cybersecurity Program
The panelists clarified that a cybersecurity framework is used as part of a cybersecurity program. The cybersecurity program encompasses all of the governance, policies, controls (design, procedures, and execution, etc.), monitoring activities, and continual improvement to the program. As panelists continued the “debate,” they shared additional tips and differentiators around these questions relating to cybersecurity programs:
- What are the benefits to having a cybersecurity program, and why should you have one?
- How formalized should the cybersecurity program be?
- What are the most important keys to creating a successful cybersecurity program?
For access to the full recording, Allinial Global member should visit the Firm Tech Community on AGConnect. We look forward to exploring other hot topics and challenges in the community’s monthly meetings and at the upcoming Firm Technology Workshop. Hope to see you there!