Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The Need for Security Frameworks

One of the things I have observed that is missing the most in the security field is structure. Security leaders struggle to replicate successes from one enterprise to another largely because they are starting from scratch at every new turn. However, anecdotal evidence from client engagements shows that a rigid structure won’t fit all use cases which is absolutely true as each enterprise has its unique quirks and nuances that makes it just different enough to buck the pattern.

One of the things I have observed that is missing the most in the security field is structure. Security leaders struggle to replicate successes from one enterprise to another largely because they are starting from scratch at every new turn. However, anecdotal evidence from client engagements shows that a rigid structure won’t fit all use cases which is absolutely true as each enterprise has its unique quirks and nuances that makes it just different enough to buck the pattern.

Somewhere between reinventing the word security at every turn and rigid structure is the desire to build repeatable patterns that are flexible enough to adapt to the unique and changing environments of different enterprises, market verticals, sizes and conditions. This is what I believe the role of frameworks plays. A framework by definition is a structure which has just enough rigidity to force consistency of vision but allows for unique adaptations within that vision.

Standard Frameworks or Cyber SecurityTake software security, for instance. A structured framework will address operational maturity, strategy and structure. Walking the delicate balance to make guidance prescriptive without enforcing uniformity of implementation. Basically, a framework addresses the what and why that an organization should be doing but leaves the who and how to the individual use case. As an example, you should conduct peer review of code at a particular level of maturity because it will reduce mistakes and costly security and functional errors. The framework defines this and ensures that it consistently is applied across all enterprises adopting the framework. Identifying who should do this, what tools they should use, and how the execution of the activity will flow needs to be tailored to the specific company use case. In very large companies it would function in one way, while in small companies it would operate vastly differently. In the end, all organizations that develop software should do this activity. However, who should do it and how is dependent on the organization’s individual needs and condition.

This logic applies across all critical security functions. Once a set of guidelines are identified by an industry neutral body across various maturity levels of organizations of all sizes and industries, we can discern the commonalities (let’s call these leading practices). These become the pieces of the framework. We then leave the details of the implementation to tailored use-case-driven functional plans to make the framework real.

I’ve spent a lot of time thinking about this lately. Taking the reigns of a group dedicated to this function – building out frameworks for various critical security program functions – has made it evident that enterprise security leaders are starving this type of asset. If we give them the broad framework within which to build, they can effectively push to make progress on security challenges. Otherwise every leader is left to their own devices to build what they think will fit where they are employed. While this may work out, it’s extremely slow and inefficient. I believe frameworks are the way to go in order to build defensible, operationally sound, and effective security programs that balance business agility with safety.

If you run a world-class security program, or have world-class components of a security program and you’d like to contribute to the greater good – I invite you to get in touch and provide some material support. I’m sure the community is just like me and looking for lessons learned, operational tips and strategic guidance from which your peers can learn to make our ever-more connected world safer.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem