IT and Security leaders are struggling to navigate the many security standards and guidelines available, to the point where they are unable to implement or comply with certain controls due to confusion in interpreting requirements of the layered and comprehensive guidance.
We’re seeing these challenges experienced by many CISO’s and their security teams across the board from small to large businesses, not for profits and government firsthand on a daily basis.
Currently, the Australian Government’s Information Security Management (ISM) regularly update data classifications which adds a layer of complexity in achieving and maintaining compliance.
Backing up recent comments by DHS CISO Narelle Devine at recent RSA Conference Unplugged, CISOs and security teams are constantly playing catch up. Complexities of IT environments add to the challenge, with some requirements taking months or years to complete, meaning that the standards have often changed before compliance has been achieved.
Devine suggests that it’s necessary to “implement the things that are going to lower your risk”.
The key is to look for security standards to guide you to reduce risk and improve security posture, based on the critical risks of your business. If that means adhering to industry standards so you can conduct business such as PCI DSS then that is critical. But I don’t believe its practical or necessary for organisations to implement all guidelines in the varying and complex list of growing security standards.
Navigating Security Standards: Recommendations
In our experience, organisations tend to be swayed by regulatory or popular opinion when it comes to selecting a framework to correspond to. Instead, organisations should consider ascertaining the most suitable framework – or blend of frameworks - within the realities of their business.
For example, for organisations that deal with a number of non-security compliance requirements, it would make sense to consider implementing the ISO 27001 information security standard.
Conversely, for organisations that have strong cybersecurity expectations (and not compliance requirements), the NIST Cybersecurity Framework provides a holistic, albeit shallow, overview of the entire cybersecurity spectrum.
In either case, the most sustainable answer to organisations’ increasingly complex entanglements with compliance is to consider cross-framework mapping.
Nearly all information security frameworks have some common controls, with others focusing on specific subdomains. Common controls across multiple frameworks include:
- Access Control
- Asset Management
- Risk Management
- Cybersecurity Incident Management
- Disaster Recovery
By creating a cross-framework mapping with their existing security framework, organisations are empowered to respond to any particular response. Where some element of a framework has not been used, it makes sense to include a justification. There is no right or wrong justification; as long as it adequately represents the realities of the organisations, it should work.
Dane Meah, co-CEO and co-founder, InfoTrust
Dane has 12 years’ experience working with some of Australia’s largest brands in protecting their environment from cyber-attack. He co-founded InfoTrust in 2014, as a specialist cybersecurity practice, that quickly established a niche in helping organisations become more optimally protected against CryptoLocker and other forms of Ransomware.