The Need for Security Frameworks

One of the things I have observed that is missing the most in the security field is structure. Security leaders struggle to replicate successes from one enterprise to another largely because they are starting from scratch at every new turn. However, anecdotal evidence from client engagements shows that a rigid structure won’t fit all use cases which is absolutely true as each enterprise has its unique quirks and nuances that makes it just different enough to buck the pattern.

Somewhere between reinventing the word security at every turn and rigid structure is the desire to build repeatable patterns that are flexible enough to adapt to the unique and changing environments of different enterprises, market verticals, sizes and conditions. This is what I believe the role of frameworks plays. A framework by definition is a structure which has just enough rigidity to force consistency of vision but allows for unique adaptations within that vision.

Take software security, for instance. A structured framework will address operational maturity, strategy and structure. Walking the delicate balance to make guidance prescriptive without enforcing uniformity of implementation. Basically, a framework addresses the what and why that an organization should be doing but leaves the who and how to the individual use case. As an example, you should conduct peer review of code at a particular level of maturity because it will reduce mistakes and costly security and functional errors. The framework defines this and ensures that it consistently is applied across all enterprises adopting the framework. Identifying who should do this, what tools they should use, and how the execution of the activity will flow needs to be tailored to the specific company use case. In very large companies it would function in one way, while in small companies it would operate vastly differently. In the end, all organizations that develop software should do this activity. However, who should do it and how is dependent on the organization’s individual needs and condition.

This logic applies across all critical security functions. Once a set of guidelines are identified by an industry neutral body across various maturity levels of organizations of all sizes and industries, we can discern the commonalities (let’s call these leading practices). These become the pieces of the framework. We then leave the details of the implementation to tailored use-case-driven functional plans to make the framework real.

I’ve spent a lot of time thinking about this lately. Taking the reigns of a group dedicated to this function – building out frameworks for various critical security program functions – has made it evident that enterprise security leaders are starving this type of asset. If we give them the broad framework within which to build, they can effectively push to make progress on security challenges. Otherwise every leader is left to their own devices to build what they think will fit where they are employed. While this may work out, it’s extremely slow and inefficient. I believe frameworks are the way to go in order to build defensible, operationally sound, and effective security programs that balance business agility with safety.

If you run a world-class security program, or have world-class components of a security program and you’d like to contribute to the greater good – I invite you to get in touch and provide some material support. I’m sure the community is just like me and looking for lessons learned, operational tips and strategic guidance from which your peers can learn to make our ever-more connected world safer.