InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
While many popular frameworks are known to drive value to organizations seeking to improve their risk management posture, customizing key elements to consider your company’s maturity, culture, strategic priorities and threats is a winning combination.
To develop and deploy an effective cybersecurity framework, the key is to start with a foundational framework and then customize additional elements or components so that it best aligns with your organization.
This piece details how to customize a foundational risk framework to ensure it aligns closely with your organization’s priorities.
Developing a risk management framework for your organization is essential for equipping your leadership with the information it needs to make decisions that allow a healthy balance of risk management and innovation. Most organizations start by choosing
a foundational framework, such as NIST, ISO or CIS, that best suits their organization both as it is today and where it plans to be in the future.
For example, technology has rapidly become a critical part of how businesses operate and deliver value to their customers. For technology-centric organizations, the NIST framework (with its outcome-based approach) is often quite relevant and a good starting
point. On the other hand, ISO is globally recognized and commonly used by organizations that collect sensitive information. It is often required by vendors and can be a good foundation for data-centric organizations.
However, beyond considering these basic criteria, you should take other additional steps to ensure the framework you choose is best suited for your organization’s needs.
READ: Risk Management Terminology for InfoSec Teams
As you begin to develop your framework, it is important to consider key foundational components about your company and how they inform the framework that is chosen and how it is used.
First, become familiar with the company’s vision and mission statements. These are important because they provide insight into what the company aspires to accomplish (vision) and how it plans to work to get there (mission). Understanding what the
company aspires to be and plans to do is critical because it will influence the activities of key leaders and their teams. It will also help refine your framework so that it positions leadership to shape well-constructed strategic plans.
For example, Amazon’s mission statement is, “To serve consumers through online and physical stores and focus on selection, price and convenience.” As such, Amazon’s leaders would benefit from having a strong third-party risk management
program, structured approaches to pricing and a mature privacy program, in addition to be being tuned into customer sentiment.
The second step is to create an inventory of your company’s strengths, weaknesses, opportunities and threats (SWOT) to help identify other core areas to focus on.
The SWOT analysis should be performed for key business areas commonly mapped out as front office, back office, technology, compliance, finance and people functions. The results of the exercise often highlight opportunities for focus in the risk framework,
including fraud, customer sentiment, product development challenges and noncompliance with rapidly evolving regulations related to privacy or money movement.
Next, assess your organization’s level of maturity as it relates to information security. You can do this by interviewing your CISO and information security domain leaders and reviewing incident history trends over the past three years. Partner
with the head of your security operations function and review the most recurring incidents and their root causes. For example, supply chain attacks are on the rise, so it’s a good idea to speak with the leader of your third-party risk management function to determine how well vendors are managed.
Based on your findings, use best practices that focus on these areas to supplement the larger framework you end up selecting for your organization. For example, if you find your organization has high third-party risk, it would be great to complement your
plan with NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
Lastly, be mindful of your company’s culture. How are decisions made? How has the business’s relationship with information security evolved? Assess whether your organization tends to operate in environments that are more structured or flexible.
Cybersecurity risk management frameworks tend to be quite similar in what they seek to accomplish, but the methodologies vary. While NIST is known for being flexible, CIS takes a much more prescriptive approach and ISO offers a globally recognized certification
and is a good option for more mature organizations.
READ: Build a Strong GRC Maturity Roadmap to Align with the Business
Being intentional about the risk framework you choose for your organization is wise. And the key areas outlined above are critical in deciding the approach you’ll take. Remember to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.