When confronted with the daunting task of developing a cybersecurity strategy, many people don’t know where to start. The quick answer is to make a list of the tasks required to accomplish the project, organize them by functional categories and determine what resources need to be brought together to accomplish the tasks on the list.

This might seem like an unsophisticated method to handle complicated issues, but cataloging is the underlying concept behind any framework. A cybersecurity framework provides a logical structure for the creation of strategy, lays out a sequence of activities required to implement the plan and provides meaningful target measures against which the strategy and key efforts are assessed.

Read the interactive white paper: Making the most of your risk management solutions

Moving to Risk Management

There is no greater challenge than securing your computing infrastructure. The complexities of the threat landscape and swiftly evolving technologies make it difficult to provide infrastructure security on an ad hoc basis. Historically, many organizations have failed to develop their security strategically, instead deploying solutions that meet narrow requirements — such as regulatory compliance or the hot technology of the week — without considering how they fit within a wider, more comprehensive security strategy.

This is beginning to change. Security leaders are starting to develop their lists by utilizing security frameworks to manage and assess their cybersecurity risks, and adoption of these frameworks is on the rise.

A Strategic Security Tool

Frameworks are becoming the strategic tools of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives. They provide assessment mechanisms that enable organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a cybersecurity strategy for improving and maintaining security programs. Frameworks help you understand the maturity of your security activities and can adapt over time to meet the maturity level of the threats you face and the security capabilities you employ.

NIST Cybersecurity Framework

There are various security frameworks that look at different types of needs, but one of the most popular is the National Institute of Science and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, nominally referred to as the NIST Cybersecurity Framework (NIST CSF). This document was initially released in 2014 and is in the process of being updated.

The NIST CSF provides policy guidance to encourage organizations to develop a process-focused approach to digital security. It aims to provide direction on how to assess and improve an organization’s ability to prevent, detect and respond to cyberattacks.

The NIST CSF is organized with five core functions: Identify, Protect, Detect, Respond and Recover. Those categories are subdivided into 22 categories. The framework offers suggestions to build your list of things to do and establish a baseline against which you can measure the maturity of your control mechanisms. However, it doesn’t specifically tell you how to achieve these goals within individual security controls. With this guidance, you can make risk-based decisions about security investments to reduce actual cyber risks.

Deploying the Right Technology for Your Cybersecurity Strategy

Security is normally measured by the quantity of security tools deployed, not how well those tools mitigate specific risks to a business. Technology is no guarantee of threat protection. By assessing the threat mitigation capabilities against a business-oriented security framework, security teams can adjust resources to create a smart architecture that allows them to deploy the right tool for the right jobs.

Aligning security solutions with an overarching cybersecurity strategy moves organizations up to higher levels of maturity. Determining the mix of products and services that mitigate the greatest level of risk is difficult.

There is no one-size-fits-all solution for cybersecurity strategy. However, through the use of security frameworks such as the NIST CSF, organizations can shift from reactive efforts to a proactive approach to risk management. The framework provides the cybersecurity process, but security products and services are still required to minimize risk. The best route is to employ solutions that specifically address your needs within your stated framework.

Read the interactive IBM white paper: Making the most of your risk management solutions

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…