Security frameworks consist of critical components that guide any organization to improve its IT security posture by introducing adequate IT security controls and progressive policies and procedures. Most of the security standards provide easy-to-follow guidelines for selecting appropriate security controls to protect corporate assets. Also, guidelines supplied within the standard documents discuss industry best practices on security measures. However, information security personnel should map the organization's current security posture or have an excellent understanding of the security gap before implementing any security measures discussed within the standard documents. It is essential to mention here that security advisors and engineers should avoid random selection of security controls. Because randomly selected security measures can increase monitoring complexities and provide a false sense of protection against cyberthreats.
Security countermeasures are for preventing cyberattacks. Implementing security standards, controls, or countermeasures must not follow the tick box approach for the sake of getting certified.If we look at the history of standards and cyber-attacks, almost all the organizations that experienced cyberattacks had at least a single security framework; some had multiple frameworks.
Securing an organization does not necessarily mean, "I am certified and protected."On numerous occasions, we have experienced:
tick box auditing;
direction to implement only the most critical controls; or
transfer the risk to another department;
security countermeasures inside the gateway; and
all the countermeasures are in place, but in a dropship fashion,
not configured or not monitored – but were there.
It is also surprising that significant data breaches occurred even though the organization had multiple frameworks to guard against the cyberthreats. The primary goal of implementing frameworks is to reduce the risk of exposure to cyberthreats. We understand that without mapping between each framework, it is difficult to ensure that framework or the standards will do its intended task of protecting your organization's business activity and its users from cyber-attacks.
We have experienced layers of frameworks one after the other, yet the organization's security posture was weak.We also understand that adversaries don't bother about how many frameworks the organization has during an attack phase.
