Left, Right, or Straight?
In the last few months, my oldest son gained his driver’s license, and, like any parent, it is exciting and scary to see your child behind the wheel of the family car. He has taken on this new freedom with eagerness and independence, wanting to make all the right decisions. There is so much to consider; car mechanics, the rules of the road, other drivers and their driving habits, directions, and most importantly, safety.
My role in this is two-part: Coach him to go far but guide him to stay between the lines.
This past weekend, I found myself in a teaching moment when we were traveling to his swim practice. At a stoplight, he got held up, for what seemed like too long, processing which direction to go towards the pool. I sensed his indecision and explained that any choice would get him to his goal, but only one was the path of least resistance. And further clarified, that in this particular situation, safety should be considered as the key to making the right decision, as he was holding up traffic.
He hadn’t considered that; he was more focused on how to get there faster.
It dawned on me; safety is an important aspect to explore when moving towards all of our goals. Still, we can often get caught up in analyzing the roadmap and which road to take, much like in the security space with the many security controls and frameworks available.
Now, security controls and frameworks will not cause safety issues in a traffic decision situation but choosing the right framework can provide a map to assist your organization in reaching its goals. Yes, you can go Left, Right, or Straight with your decision, but consulting an expert with that decision can help you get there more directly and safely.
Security Frameworks such as NIST CSF, CIS/SANS Top 20 Critical Security Controls, ISO 27001/2 or security compliance standards like PCI DSS and HIPAA have separated themselves as the best practice frameworks for organizations to assess their current IT security maturity.
These security frameworks and compliance standards guide companies to set goals to improve the procedures that they use to protect sensitive data, perform change management, and provide access to critical assets. And, what about Threat Assessments and the impacts on those security frameworks?
If you’re not sure about which security compliance framework applies to your organization, keep in mind that all of them are designed for different purposes, industries, or geographies – some examples are:
- The NIST Cybersecurity Framework (CSF) provides a framework for assessing and demonstrating maturity over the broad spectrum of security controls for any industry.
- The NIST Special Publication 800-53, Revision 5 proposes a catalog of 20 different privacy and security control groups to help U.S. federal agencies, states, and organizations better manage their risk and demonstrate compliance.
- The CIS 20 Critical Security Controls are independent of industry type and geography and provide a priority-based and a rather technical approach for immediate, high-impact results. The CSC offers a standard set of controls rather than a security program and management framework.
- The ISO 27001/2 standard is a less technical, more risk management-based approach that provides best practice recommendations for companies of all types and sizes in six defined phases. ISO is internationally recognized and provides a certification that can be used to demonstrate security maturity to auditors and clients.
- The HIPAA Security Rule compliance standard is a framework required for healthcare organizations and other companies handling health information. The rule is based on a Security Risk Management framework allowing flexibility to determine appropriate security controls based on Risk Assessment.
- The PCI DSS security compliance standard outlines 12 best-practice data security regulations for organizations that process, transmit, and store or impact the security payment card details.
No matter what direction you head (Left, Right, or Straight), a security compliance framework for your organization and a dedicated compliance program within your organization can help manage its risks, improve your security maturity posture, and demonstrate commitment to third parties.
Irrespective of which direction you choose, you may want to have an experienced driver in the passenger seat beside you, and yes, we made it to the pool on time and safely.
If you are facing challenges in determining the right security measures for your organization and would like more information on our security services, please fill in the form below.
If you enjoyed this article, here is another suggested read to help you on your security journey.