Security frameworks continue to see adoption, with the CIS Critical Security Controls for Effective Cyber Defense (CIS Controls) ranked as a leading framework in use, along with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
An adoption survey from Dimensional Research concluded that 84% of respondents used some type of security framework, and most organizations surveyed used more than one.
“The…survey shows strong adoption of both the NIST Cybersecurity Framework [CSF] and the CIS Controls, and notes that this is not an ‘either-or’ situation. The CIS Controls complement the overarching NIST CSF with a specific action plan to focus on the most effective technical controls that stop cyber attacks,” said CIS SVP Tony Sager. “By aligning the CIS Controls with the NIST CSF, we provide an ‘on-ramp’ to rapid security improvements for enterprises in a way that can be sustained, explained, and made part of the larger corporate risk management process.”
The NIST Cybersecurity Framework began life in February 2013, when President Obama issued an executive order calling for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help those organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.
“It has documented a set of control objectives which can be read as a definition of cybersecurity—a term which has always been somewhat vague,” said Gregory Nowak, principal research analyst at the Information Security Forum. “It has created a common language for cybersecurity, where there previously was none. Secondly, it has started a national conversation about cybersecurity and the control measures necessary to improve it.”
The CIS Controls meanwhile are a concise, prioritized set of practices that outline what every organization should do as their first steps in cybersecurity. They have been proven to mitigate 85% of the most common vulnerabilities.
One of the benefits of the CIS Controls is they are developed by experts based on their first-hand experience in the security field and are derived from actual threat data from a variety of public and private sources. In addition to being prioritized and relevant, the CIS Controls are updated regularly to stay in step with cybersecurity’s ever-changing threat environment. The current version of the CIS Controls, which are aligned to NIST guidance, have been downloaded 32,838 times since October 2015.
Both the CIS Controls and the NIST CSF were considered as best practices in the survey. CIS has been a longstanding supporter of the NIST CSF, attending the initial public workshops and providing input to the public comment process.
Photo © zhengzaishuru