A cybersecurity framework provides a set of standard requirements for IT and security leaders to align their programs with to demonstrate a consistent way to establish, operate and measure security risk. The cybersecurity frameworks align to countries, regions, and industry specific perspectives so that a common language can be established for what practices are expected based on varying data and risk profiles. Typically, smaller organizations will align to a single framework, whereas larger more complex organizations will align to multiple frameworks to cover their products, data, and geographies.
The graphic below outlines the spectrum of typical cybersecurity frameworks and the coverage of the control requirements.
For more information on these frameworks;
The growing market for technology to support security programs is creating a more complex situation for many of our clients to navigate. Part of this is due to the many use cases that the marketplace is addressing, and the specific use cases that they are supporting. We recommend that buyers consider the maturity of their programs, and the following list of capabilities in order to narrow the search;
What is the organization’s motivation for GRC technology?
Determining what or who is driving the need for GRC technology and why can help clarify and narrow the marketplace of options. Typically, there are a few primary reasons;
How are you going to support the GRC Platform?
A GRC platform should integrate with your organization’s technology, processes, and people resources. Refining how you expect to support the technology will help the selection and ongoing operation.
Where are you now with program maturity and what is your target?
Program maturity is a primary consideration of how GRC and security program management tools should be selected. Depending on the complexity and maturity of the organization’s security program, the requirements will shift to specific players in the market. The following maturity descriptions can be used to narrow the best vendors for your needs:
Initial
Programs that are early in their development and operation, have simple compliance requirements, and limited support resources.
For programs that are in the “Initial” state of maturity, the following options should be considered; OneTrust, MyCISO, Drata, Logicgate
Established
Programs that are designed and aligned to business needs, have some documented / repeatable processes, but limited support resources.
For program that are “Established” and looking to advance, the following options are suitable; OneTrust, Drata, Vanta, Riskonnect, Fusion, CyberSaint, ZenGRC
Mature
Programs that have documented and repeatable processes, an adequate level of support resources, and defined business alignment demonstrated over a few annual cycles of improvement. Mature programs will typically have the following objectives:
For the “Mature” programs, the following vendors are worth consideration; RSA Archer, MetricStream, ServiceNow GRC, SAI Global
Most tools in this space are priced by the user count and number of control frameworks required. Larger platforms also charge for the number of modules so that the solution can scale with the customer’s need.
Socium Security can provide advisory services to establish the security program foundation and assist with GRC evaluation and selection projects to support the program. Socium can also provide support services to manage the ongoing operation of the GRC platform
The NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) was established as a result of an executive order by former President Obama to improve critical infrastructure cybersecurity through partnership and collaboration. Compliance to this standard is voluntary but this framework is often used as a basis to assess cybersecurity program maturity, practice gaps, and mitigation roadmaps due to its flexibility and common language. The NIST CSF is currently in version 1.1 as of April 2018.
The NIST CSF v1.1 is comprised of 5 key Functions – Identify, Protect, Detect, Respond, and Recover.
Under the 5 Functions are 23 Categories and 108 Subcategories (control activities).
Currently v2.0 of the NIST CSF is in process of being drafted based on industry feedback and can be tracked here on the NIST.gov site.
Who does it apply to?
The NIST CSF applies to almost all cybersecurity programs and is commonly used as a reference framework within the US and North America. It is often used to assess program maturity and provide a basis of reporting to internal and external stakeholders regarding the overall security posture.
How can Socium Security help?
Socium Security can provide companies of all sizes an independent program maturity assessment based on the NIST CSF using a standard methodology. This service is typically paired with a Security Architecture Assessment that includes an assessment, report, and risk-based recommendations around the IT architecture, data processing, and security controls in place. Together, this provides management and technical stakeholders a complete picture of the current state security posture.
If your cybersecurity practices are operating with measurable maturity, consider testing the program’s capabilities with a crisis management exercise or penetration test by Socium Security.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |