For those of you who are just joining us, I’m retired Marine and security expert Scot Hutton and I’ve been invited by my friends at SolCyber to write a blog series on security that matters. So far, I’ve covered why ransomware has forever changed the security landscape for small and mid-sized businesses (SMEs) and explained why now is the time for SMEs to invest in cybersecurity. In this post, I’ll cover security frameworks and why in many cases, they don’t work for SMEs.
When SMEs first attempt to mature their security posture, they often turn to security frameworks. While these frameworks can be effective (when implemented correctly), they are often not the answer for SMEs that need to change their security posture fast. I’ve seen many IT professionals and business owners become frustrated after investing in a framework and realizing they’ve spent a lot of time and money on initiatives that haven’t really moved the needle. And I’m hoping that through this blog post, I can help you avoid that same frustration—because there is an easier way of doing things.
What are security frameworks?
Security frameworks are sets of standards and defined processes that businesses use to implement and manage security controls and minimize their cybersecurity risk. These frameworks are often written by a government body or a leading security company and shared broadly with businesses large and small. A few examples of security frameworks, include PCI DSS, HIPPA, ISO and NIST.
Where security frameworks fall short
While security frameworks can be effective tools, they aren’t always right for SMEs. Here are just a few reasons why SMEs should consider skipping frameworks in favor of outsourcing their security efforts and focusing on security that matters.
1. Frameworks take too long to implement
Most security frameworks take several years—sometimes up to half a decade—to implement fully. That is far too long. Attacks are happening daily, and you need protection now. While it’s great to have a long-term plan to improve your security posture over time, you need foundational coverage right away, so your business is protected if it gets hit with malware or ransomware.
2. Too much time is wasted in the audit stage
Most frameworks start with an audit to better understand your risk profile. While it’s great to understand where you’re most at risk, you don’t necessarily need to complete a three-month audit if you’re just getting started in security.
Most businesses, regardless of size or the tools they’re using, share the same basic set of risks, and there are a few standard tools every business needs to protect against those risks. This is your foundational coverage. For instance, you don’t need to conduct an analysis to know that you need endpoint detection. Trust me, you need it. And not just traditional anti-virus, but a newer solution to prevent, help detect and respond to security events.
Once you have the basics covered, you can work with your security team or security partner to assess risks that are specific to your business and find the tools to provide additional coverage in those areas. But until that point in time, there’s a lot you can do to dramatically reduce your risk profile without even really understanding it.
3. Your security controls should be specific to your business
Because frameworks are standard processes, they can’t be specific to your business. Each framework has 10 to 20 domains, and they all claim you need to start with a different one. But that’s a pretty bold statement given that the writers of the framework don’t know your business or the systems and processes you’re using. One framework might claim you need to start at point A. But if that’s not an important part of how your company conducts business, it’s not the best place for you to start and it may not even be a necessary security control to put in place.
Many of these frameworks also have a prescribed order for how you should move through your security protocols. Though going from point A to point B and then on to point C might work for some companies, you might not need points A and B and should therefore jump ahead to point C. Perhaps your risk profile suggests that point C has a better “pay-off.” While you shouldn’t cut corners, you can save time, money and effort by only focusing on the security that matters most to your business. Typically, each domain will have 150 plus controls. Do you work through all 150 controls in domain A, then domain B? Maybe the best payoff is tackling five controls from domain C, eight from domain B and one from domain A?
4. Frameworks don’t account for overlapping tools
Even the best security tools haven’t caught up to humans—both in terms of the intelligence of attackers and vulnerability of your employees. What this means is that you’ll never truly be risk free. Security protocols and technologies are meant to mitigate risk and help you get as close to zero risk as possible.
In order to properly protect your environment and accurately detect threats, you need overlapping layers of protection. In fact, you should be building out your security tech stack assuming that parts will fail. If you have overlapping controls, you’ll be covered even if one fails to detect a threat.
5. Money is often wasted fixing non-existent problems
Because frameworks force you to slowly work your way through security protocols you may or may not need—and that process takes several years, leaving you vulnerable in the interim—you end up spending a lot of money on changes that ultimately don’t alter your risk profile. This, understandably, results in a lot of frustration on the part of leadership and may even discourage a future focus on security. This is the worst position to be in.
Instead of trudging through the steps of a security framework, it’s often best to partner with an MSSP, who can help you make changes fast and focus on the tools and technologies that will make an impact. This is what I like to call, “security that matters.” By focusing on security that matters, you can save a ton of time, money and frustration.
Solution: hire an expert
Frameworks are extremely involved and open to interpretation. It takes decades of hands-on security experience to be able to skip the framework, go into an organization and deliver an impactful security strategy. You need to partner with experts that can quickly help you identify where you need coverage—and where you don’t—so you can invest in the security that matters most to your business.
Check back soon for other articles to learn more about which tools provide the security that matters. In the meantime, the SolCyber team are always on hand for a chat, so feel free to reach out to them.
- What is a security framework? A security framework is a set of guidelines, best practices, and processes that organizations can use to improve their cybersecurity posture.
- How can a security framework help my organization? Essentially, a security framework will help your organization be more secure in the face of cybercrime, threats, attacks, and vulnerabilities, by updating existing security protocols and adding new security layers to the existing ones.
- Is a security framework expensive? Security frameworks aren't cheap, but the total cost of implementing one depends on the type of security framework you need to implement, as well as your own business specifics. Some frameworks are designed to work with any budget but for optimal implementation and cybersecurity, companies may have to invest in services and technologies. For instance, a security risk assessment for NIST 800-53 and NIST 800-171 compliance standards can start at $10,000 to $15,000.
- What are some examples of a security framework? Some examples of a security framework include:
- NIST 800-53
- ISO 27001
- COBIT 5
- PCI DSS
- Sarbanes-Oxley (SOX)
- CIS Critical Security Controls (CSC)
- Is a security framework worth implementing? Yes. Implementing a security framework is beneficial if you are a large enterprise or government organization.
- How can my organization use a security framework? Some of the main ways your organization can use a security framework include:
- Using it as a baseline for their current security posture
- Use it to identify gaps in their current security posture
- Use it to build and improve upon their existing security posture