Q: We are trying to find a good security framework to manage our security program. Any thoughts?
A: Frameworks are standards that are used for reference or comparison to your current status and often serve as the stepping-off point for emulation and adoption. One way to develop your own specific methodology is to adapt or adopt an existing security management model or set of practices.
Using frameworks has some benefits such as being a source of good ideas. Frameworks may also provide some assurance to your higher management that you are in step with others in the mainstream as well as a means of assuring your reputation if something later goes wrong.
However, there are some risks involved with choosing to use a framework. The one you have chosen may not be a good fit to your organization and its needs. Also, there is no assurance of risk reduction from adopting a framework; and you might allow the framework to distract you from making real improvements.
As great as leveraging a framework sounds, it often does not work out.
The reason is context. Every organization operates within several contexts, each of them adding complexity and considerations about what it takes to be secure. If there were a framework that was created for your specific industry, designed specifically for a firm of exactly your size, and tailored to the jurisdictions where your company is located, it still would not be able to adjust for the specific needs of your stakeholders, the talents and skill level of your staff, and all of the many other factors that make your organization unique.
Security management programs are finely tuned to the context and circumstances of each organization. Frameworks, even when designed with a flexible mindset and implemented by experienced staff, will require adjustments for every instance in which it is used. For example, a number of published InfoSec models and frameworks exist, including several options from government organizations like NIST documents as well as international standards organizations like the ISO 27000 series. Because each InfoSec environment is unique, you may need to modify or adapt portions of several frameworks; what works well for one organization may not precisely fit another.
My advice is that unless you are legally mandated, don't pursue a certification to any framework unless it serves your organization’s known security objectives. Don't be distracted from pursuing your own strategic, process-driven, metrics-based program that seeks ongoing continuous improvement.
Answer provided by Herbert J. Mattord, Security Executive Council Subject Matter Expert faculty member.