“Which security framework should we use for our cybersecurity program?” is one of the most common questions I get when it comes to cybersecurity. After all, there are several of them out there, and it can be confusing and frustrating to decipher which framework would be the best for an organization or a certain situation. Interestingly, in most cases, my answer to that question comes as a surprise to the inquirer, and you may have a similar reaction. The answer, in many cases, is: It doesn’t matter—just pick one and get started!

Here’s what I mean by that response: As I write this, there are no fewer than five well-established cybersecurity frameworks that have been developed to outline an approach to cybersecurity, such as ISO 27001, the NIST CSF, the HITRUST CSF, and others. But, these are basically five separate approaches that accomplish the same thing. Using any one of the frameworks properly will allow an organization to effectively secure its assets and manage its cybersecurity risks. I compare this to different translations of the Bible: They all might have slight wording differences, but ultimately convey the same information, and, if you follow the Bible’s teachings, provide the same outcome. So, my advice to cybersecurity leaders is not to get bogged down in over-analysis to determine the perfect cybersecurity framework for your organization. When done effectively, they will all lead you to the same outcome. 

Don’t Get Stuck in Framework Analysis Paralysis

According to the definition, analysis paralysis is the state of over-analyzing (or overthinking) a situation so that a decision or action is never taken, in effect paralyzing the outcome. A person experiencing analysis paralysis gets so lost in the process of analyzing and evaluating various data needed to make a decision that they become unable to act.

If you’ve ever struggled to decide which security framework to use for guiding and evaluating your information security program, you know what it’s like to experience this phenomenon. There are so many different frameworks available that it’s easy to get caught up in trying to decide whether one should use NIST-CSF, NIST SP 800-53, ISO 27001, HITRUST CSF, COBIT, or other options.

Don’t get caught up in the process of choosing. Ultimately, if you pick one and take the time to manage that framework, it will get you where you want to go—making well-informed decisions about security risks.

A Few Things to Consider If You’re Stuck

That being said, here are some helpful tips to remember when choosing a security framework:

  1. Find a cybersecurity framework that aligns with your business. As I’ve mentioned before, your approach to cybersecurity should be built around your business objectives. When selecting your framework, consider your company’s industry, its primary customers and business partners, and the jurisdictions in which your company operates.  For example, if your company does a lot of work with government entities, they’re likely going to want to see you using the NIST framework. An organization in the healthcare industry may find that its clients and business partners look favorably upon the HITRUST CSF, which was designed specifically for the healthcare industry. A company with international operations may find that ISO 27001 is the best option. Understanding your organization’s business will help you choose a cybersecurity framework that is well-suited for the company’s constituents.
  2. You can always leverage a mapping to tie your baseline framework to others when needed. Since all the frameworks will facilitate the same outcome, any one of them can be used to get started. If you later determine that you need to refocus on another framework, there are free mappings available that demonstrate how all of the cybersecurity frameworks relate to each other. So, again, there is no reason to delay getting started—it will be relatively easy to switch, combine, or restate your cybersecurity program in accordance with a different framework in the future, if necessary.

A cybersecurity framework provides an effective and valuable way to design, develop, operate, manage, and monitor a cybersecurity program. Using a framework can help ensure that key areas are not forgotten, overlooked, or inadvertently de-prioritized, and it can help to demonstrate to an auditor, regulator, customer, or stakeholder that the organization is endeavoring to effectively manage its cybersecurity risks in accordance with both generally-accepted and leading practices. Because of the number of frameworks available, cybersecurity leaders can easily fall into the trap of getting bogged down in the details or overwhelmed with their choices. Successful cybersecurity leaders ignore the noise, focus on one framework, and get to work.

As leaders in the information security industry, and with specialized experts and certifications in each of the various cybersecurity frameworks, our team at LBMC Information Security is here to help. If you’re still struggling to determine which cybersecurity framework is most suited for your organization, feel free to contact us today. You can also explore our Security Consulting services to learn more about the various ways we can help you with your overall information security solutions.

This blog is the tenth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.​​