Security frameworks such as the NIST Cybersecurity Framework, Center for Internet Security (CIS) Critical Security Controls or PCI DSS exist to help security professionals identify and implement controls. The frameworks also provide “check the box” tracking for elements an organization should consider in building its security program.
While the frameworks include discrete components, all lack two critical elements:
- Customization based on specific client goals, existing technology and services, and industry needs
- Continuous improvement of a security program over time. Interpretation and implementation ae typically a “from scratch” effort that is largely “do it yourself” (DIY)
The ideal framework allows setup based on your industry, technology, infrastructure, staff, expertise and other variables. Your expectations, requirements, threat landscape, risk profile and security maturity goals matter a lot to security outcomes. And, you should be able to emphasize or de-emphasize certain framework elements depending on your organizational current state, goals and industry.
Read on to learn about the eight steps of a Security in Action Framework—and the best approach to working with a MSSP.