Connect with us

Hi, what are you looking for?


Cyber Insurance

Organizations Challenged with Cybersecurity Framework Implementation

Adopting a cyber security framework provides clear benefits that increase over time; but for most organizations, framework adoption requires overcoming a range of both technical and organizational impediments. Automated foundational controls are currently not being widely implemented.

Adopting a cyber security framework provides clear benefits that increase over time; but for most organizations, framework adoption requires overcoming a range of both technical and organizational impediments. Automated foundational controls are currently not being widely implemented.

According to a new survey from Dimensional Research sponsored by Tenable Network Security and the Center for Internet Security (CIS), 95% of organizations have faced issues in implementing their chosen framework. The most common organizational impediments are a lack of trained staff (57%) and a lack of budget (39%); but almost a quarter (23%) also struggled with a lack of management support.

The most common technology issues are a lack of tools to automate controls (40%) and lack of tools to audit the effectiveness of controls (37%); but poor integration between the tools (35%) and a lack of adequate reporting from them (23%) also figure highly. Only 5% of companies reported no impediments.

It is important that such problems are overcome. “Cybersecurity frameworks are a good way for IT security professionals to create a solid baseline for measuring security effectiveness and to meet compliance requirements, but it can be a challenge to do this without the tools, talent and support from executive leadership,” comments Cris Thomas, strategist at Tenable Network Security. “Having the proper tools and intuitive reporting features in place not only improves overall cybersecurity, but also can help organizations eliminate some of the staffing and budget problems by automating the implementation and integration of their security frameworks.”

In the fall of 2016, more than 300 security professionals at companies with more than 100 employees took part in a Dimensional Research survey. This represents a wide range of job levels, company sizes, and industry verticals. Geographical dispersion is not quantified.

The results show that most organizations are at some stage of security framework adoption (80%), but that for most organizations the process commenced within the last year (56%). The most popular frameworks being adopted are PCI-DSS (40%), ISO 27001/2 (38%), CIS (22%), NIST 800-53 or 800-171 (19%), and NIST for critical infrastructure (18%).  While it is clear from these figures that many organizations will be adopting more than one framework — or at least aspects of different frameworks — the figures do not show popular combinations.

The primary motivation for adopting a framework is, for most organizations, simple security best practice (69%). Fifty-one percent are doing so to aid compliance with multiple regulatory requirements, and 35% because it is required for a business contract.

Advertisement. Scroll to continue reading.

Ninety-five percent of organizations reported benefits from adopting a framework. Noticeably, the most common of these was business-centric: compliance with contractual obligations (47%). Slightly fewer (43%) reported measurable security improvements such as fewer security incidents (43%) and improved maturity in security operations (43%). Other benefits included discounts for cyber insurance and cost savings such as fewer help desk calls.

Many of these benefits take time. For example, the measurable security improvements were reported by 51% of organizations who started implementing a framework more than a year ago, but by only 33% of companies who did so less than a year ago.

The survey also specifically examined implementation of foundational security controls, which are common to almost all frameworks. Foundational Cyber Hygiene controls, explains CIS (PDF), are “the basic things you must do to create a strong foundation for your defense. This is the approach taken, for example, by the DHS Continuous Diagnostic and Mitigation (CDM) Program, one of the partners in the CIS Critical Security Controls. A similar approach is recommended by our partners in the Australian Signals Directorate (ASD) with their ‘Top Four Strategies to Mitigate Targeted Intrusions’.”

The results of the survey show that while most organizations do in fact implement foundational controls, there is a strong reliance on manual and policy controls; with relatively limited adoption of automated controls. “Automated controls are ideal, but they are still not the norm,” notes Tenable. “Across the 15 subcontrols studied, only low levels of automation were seen. The typical company (the 50th percentile), has automated only 6 of these 15 subcontrols. Even at the top companies (the 80th percentile) only 11 of these 15 controls have been automated.”

“A resilient cybersecurity program starts with a strong foundation of actions found in every cybersecurity framework, like having control of hardware and software assets, continuous assessment of vulnerabilities, and control of administrative privileges,” explains Tony Sager, SVP and chief evangelist at CIS. “Based on this survey, we know security pros are working hard to put these controls in place, but they are still struggling to get resources and management support to move beyond human-intensive controls and paper policies. We need to accelerate moving toward automation of these controls as organizations continue to adopt industry frameworks.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem