Adopting a cyber security framework provides clear benefits that increase over time; but for most organizations, framework adoption requires overcoming a range of both technical and organizational impediments. Automated foundational controls are currently not being widely implemented.
According to a new survey from Dimensional Research sponsored by Tenable Network Security and the Center for Internet Security (CIS), 95% of organizations have faced issues in implementing their chosen framework. The most common organizational impediments are a lack of trained staff (57%) and a lack of budget (39%); but almost a quarter (23%) also struggled with a lack of management support.
The most common technology issues are a lack of tools to automate controls (40%) and lack of tools to audit the effectiveness of controls (37%); but poor integration between the tools (35%) and a lack of adequate reporting from them (23%) also figure highly. Only 5% of companies reported no impediments.
It is important that such problems are overcome. "Cybersecurity frameworks are a good way for IT security professionals to create a solid baseline for measuring security effectiveness and to meet compliance requirements, but it can be a challenge to do this without the tools, talent and support from executive leadership," comments Cris Thomas, strategist at Tenable Network Security. "Having the proper tools and intuitive reporting features in place not only improves overall cybersecurity, but also can help organizations eliminate some of the staffing and budget problems by automating the implementation and integration of their security frameworks."
In the fall of 2016, more than 300 security professionals at companies with more than 100 employees took part in a Dimensional Research survey. This represents a wide range of job levels, company sizes, and industry verticals. Geographical dispersion is not quantified.
The results show that most organizations are at some stage of security framework adoption (80%), but that for most organizations the process commenced within the last year (56%). The most popular frameworks being adopted are PCI-DSS (40%), ISO 27001/2 (38%), CIS (22%), NIST 800-53 or 800-171 (19%), and NIST for critical infrastructure (18%). While it is clear from these figures that many organizations will be adopting more than one framework -- or at least aspects of different frameworks -- the figures do not show popular combinations.
The primary motivation for adopting a framework is, for most organizations, simple security best practice (69%). Fifty-one percent are doing so to aid compliance with multiple regulatory requirements, and 35% because it is required for a business contract.
Ninety-five percent of organizations reported benefits from adopting a framework. Noticeably, the most common of these was business-centric: compliance with contractual obligations (47%). Slightly fewer (43%) reported measurable security improvements such as fewer security incidents (43%) and improved maturity in security operations (43%). Other benefits included discounts for cyber insurance and cost savings such as fewer help desk calls.
Many of these benefits take time. For example, the measurable security improvements were reported by 51% of organizations who started implementing a framework more than a year ago, but by only 33% of companies who did so less than a year ago.
The survey also specifically examined implementation of foundational security controls, which are common to almost all frameworks. Foundational Cyber Hygiene controls, explains CIS (PDF), are "the basic things you must do to create a strong foundation for your defense. This is the approach taken, for example, by the DHS Continuous Diagnostic and Mitigation (CDM) Program, one of the partners in the CIS Critical Security Controls. A similar approach is recommended by our partners in the Australian Signals Directorate (ASD) with their 'Top Four Strategies to Mitigate Targeted Intrusions'."
The results of the survey show that while most organizations do in fact implement foundational controls, there is a strong reliance on manual and policy controls; with relatively limited adoption of automated controls. "Automated controls are ideal, but they are still not the norm," notes Tenable. "Across the 15 subcontrols studied, only low levels of automation were seen. The typical company (the 50th percentile), has automated only 6 of these 15 subcontrols. Even at the top companies (the 80th percentile) only 11 of these 15 controls have been automated."
"A resilient cybersecurity program starts with a strong foundation of actions found in every cybersecurity framework, like having control of hardware and software assets, continuous assessment of vulnerabilities, and control of administrative privileges," explains Tony Sager, SVP and chief evangelist at CIS. "Based on this survey, we know security pros are working hard to put these controls in place, but they are still struggling to get resources and management support to move beyond human-intensive controls and paper policies. We need to accelerate moving toward automation of these controls as organizations continue to adopt industry frameworks."