“Which security framework should we use for our cybersecurity program?” is one of the most common questions I get when it comes to cybersecurity. After all, there are several of them out there, and it can be confusing and frustrating to decipher which framework would be the best for an organization or a certain situation. Interestingly, in most cases, my answer to that question comes as a surprise to the inquirer, and you may have a similar reaction. The answer, in many cases, is: It doesn’t matter—just pick one and get started!
Here’s what I mean by that response: As I write this, there are no fewer than five well-established cybersecurity frameworks that have been developed to outline an approach to cybersecurity, such as ISO 27001, the NIST CSF, the HITRUST CSF, and others. But, these are basically five separate approaches that accomplish the same thing. Using any one of the frameworks properly will allow an organization to effectively secure its assets and manage its cybersecurity risks. I compare this to different translations of the Bible: They all might have slight wording differences, but ultimately convey the same information, and, if you follow the Bible’s teachings, provide the same outcome. So, my advice to cybersecurity leaders is not to get bogged down in over-analysis to determine the perfect cybersecurity framework for your organization. When done effectively, they will all lead you to the same outcome.