Cybersecurity professionals often face the curse of knowledge–understanding so much about cybersecurity that it is difficult to communicate about it in simple terms to those outside the field. But cybersecurity frameworks can make it easier for everyone in the business to understand, comprehend, and communicate about security, Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, said in a Wednesday session at RSA 2019.
The problem with common security frameworks is they often involve long PDFs that can lead to more confusion, Kim said. To make cybersecurity frameworks easier to understand, he separated them into three categories: Control frameworks, program frameworks, and risk frameworks.
SEE: Build an Enterprise Architecture-based Framework (Tech Pro Research)
Kim used the analogy of a person becoming a chef to describe each of these frameworks. Before a chef starts to cook, they must build a list of ingredients for their food–the control framework. Then, they need to determine the recipe to assemble those ingredients into a meal–the program framework. Finally, they need to figure out where they are going to serve that meal, in terms of what their customers want in a restaurant experience–the risk framework.
Here are the three types of security frameworks, explained:
1. Control frameworks
Examples: NIST 800-53; CIS Controls (CSC)
Often times, when a security professional enters a new environment to build and manage a team, they are dealing with an organization that is relatively immature from an IT and security perspective, Kim said. In those cases, they want to determine the basic set of controls to implement.
Cybersecurity professionals use control frameworks to do the following, according to Kim:
- Identify a baseline set of controls
- Assess the state of technical capabilities
- Prioritize the implementation of controls
- Develop an initial roadmap for the security team
NIST SP 800-53 is a comprehensive control catalog of security and privacy controls, in which control can be implemented based on priority or secure control baselines (low impact, moderate impact, or high impact). CIS Controls, meanwhile, have published the top 20 critical security controls, which the US Department of State uses, Kim said.
SEE: Network security policy template (Tech Pro Research)
2. Program frameworks
Examples: ISO 27001; NIST CSF
Cybersecurity professionals use a program framework to do the following, according to Kim:
- Assess the state of the overall security program
- Build a comprehensive security program
- Measure maturity and conduct industry comparisons
- Simplify communications with business leaders
The ISO 27000 series is a family of standards all related to information security, Kim said. ISO 27001 involves information security management system requirements, and defines the areas of focus in building a security program, including organizational context, leadership, planning, support, documentation, operation, performance evaluation, and improvement, he added.
The NIST Cybersecurity Framework (CSF) helps identify, protect, detect, respond, and recover, Kim said. It is made up of three parts–Core, Implementation Tiers, and Profiles–and defines a common language for managing risk. This helps organizations ask, What are we doing today? How are we doing? Where do we want to go? When do we want to get there?, Kim said.
Control and program frameworks can be used together and support each other, and mapping connects them together, Kim said.
3. Risk frameworks
Examples: NIST 800-39, 800-37, 800-30; ISO 27005; FAIR
Risk frameworks allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities, Kim said.
Cybersecurity professionals use risk frameworks to do the following, according to Kim:
- Define key process steps for assessing and managing risk
- Structure the risk management program
- Identify, measure, and quantify risk
- Prioritize security activities
NIST Security offers three well-known risk-related frameworks: NIST SP 800-39 (defines the overall risk management process), NIST SP 800-37 (the risk management framework for federal information systems), and NIST SP 800-30 (risk assessment progress). ISO 27005 defines a systematic approach to manage risk for an organization, while FAIR is an international standard supported by two organizations, Kim said.
Getting started with a cybersecurity framework
Businesses can take the following steps to begin figuring out the right security framework, Kim said:
- Immediately: Identify the security frameworks you are already using in your organization
- Within three months: Determine how those frameworks leverage their strengths and are mapped to each other to meet compliance and regulation goals
- Within six months: Update your security program plan to leverage each of the three frameworks, and socialize the plan with technical, operations, and executive leaders.
“As you mature your security program, you can choose one or more frameworks from each category to work together to improve the state of your overall security activities,” Kim said.